National U.S. Privacy Laws Are Needed

As the most recent security breaches have taught us around the world, losing one’s privacy also means losing one of humanity’s unique attributes — its secrets. The hack at Ashley Madison taught us that no stored data is secure, no matter how much we think it is or if a service, by it’s very nature, implies it’s providing the highest caliber of security and discretion. The spill of this data has led to, among other things, massive lawsuits, an departing CEO and even suicide. As time will no doubt show us — we’ve lost our humanity.

Somehow we missed privacy from the initial design of the Constitution and amendments thereafter. This “right” to privacy was not endowed to us by our Founding Fathers nor does it make up the conscience of our jurisprudence system of government today.

Legally, privacy is, at best, a regulation or a state-level law focused around data protection. The United States is not alone in having few overarching privacy laws. Many people in the world do not have a legal right to privacy. Even in the best of scenarios, countries only have laws focused around some notional data element — like a right to healthcare or financial privacy.

Is Privacy A Fundamental Inalienable Right?

Many questions pervade the notion of privacy, on which the conversation has been somewhat confiscated by information security professionals and ascribed to the notion of “data privacy” as if this is the ultimate arbiter of the question. Isn’t privacy more than data? Questions like the following really provide a powerful sense of the problem:

  • Is privacy an immutable attribute of being human, making this alienable to the human condition? Are private moments, thoughts and intimate communications part of being human, and does removing these conditions equate to removing our humanity?
  • Does one “own” their unspoken thoughts, unseen actions and private, intimate moments? If so, does another body, such as a government or organization, have the “‘right” to confiscate, use or monetize it?
  • Does anyone really feel safer or more protected knowing there is a record of their private moments and acts? When one’s life no longer has the intimacy of sharing a sweet-nothing between lovers, or singing alone in the shower, or being able to just be “you” without anyone knowing, recording or watching, is this really a safer and more humane world?

Big Questions Should Lead To Big Debate

As you can see, the topic is immensely powerful and in no way trite. The real question is, why isn’t there a real national dialogue around the topic? Yes, there is a lot of chatter, but most of the conversation seems vapid. Many of the pundits I see and read seem to be discussing the notion of “net neutrality” or cybersecurity legislation that address data protections, both of which appear to have, at their core, the goal of appointing bureaucrats and assigning budget authorities.

However, the issue is larger than that. The real question of the current various forms of cybersecurity legislation should reach into the heart of the matter and focus on whether privacy is a fundamental human right.

The real debate rests on the central question of whether or not privacy is a human right.

An answer to this question will forever settle the debate on how to proceed with information security regulations and how to react to breaches in our privacy.

Instead, we are left with a quilt of ad hoc, incoherent rules, regulations and micro-laws that define what we should or should not do with privacy.

The History Of Privacy Regulation

In the U.S., privacy legislation started in the state of California, moved briskly across the country and has largely settled into its current landscape. The problem with this approach, although admirable in the specifics, is that one’s privacy is not a geographic or data-driven matter. One’s privacy is not relative to one’s domicile, and this truth leaves most of us wanting for the notion that legislation covers our privacy, regardless of the type of data (e.g., only healthcare or financial information — but all private information, etc.).

As a result, we are left with a threat environment that is exploiting the blind spots between the laws and lack of coverage.

Consequences Of No National Privacy Laws

Generally, I’m not a big believer that laws or regulations are very helpful for the tactics and operations of a security professional. My general feeling is that laws only add to an overburdened staff and generally only increase budgets, which are often misappropriated toward administrative attestation instead of real security.

However, in the case of privacy, there are three real consequences of not having a national privacy law, which will not change until one is passed:

Data Breaches Grow Exponentially. The threat landscape is changing with great velocity. Without a law governing the human aspect of privacy, people will continue to steal, borrow and monetize this valuable asset until it no longer holds meaning. Delay of national privacy legislation is directly related to financial loss and national economic competitiveness. Financial institutions will be the great bearers of these costs as consumers demand to have their institutions provide restitution for their losses.

Your Humanity Will evaporate. With the advent of the Internet of Things (IoT), whereby nearly every consumer device is measuring and monitoring nearly all human behavior (including implantable devices for healthcare), there will increasingly be opportunities to invade deeper and deeper into one’s personal life and, perhaps one day, even into one’s own thoughts and ambitions.

Many people in the world do not have a legal right to privacy.

This technology, although immeasurable on the opportunities for human developmental advancement, will, paradoxically further erode the notion of what it is to be human itself. You will become like a machine, predictable and forecastable in every way — from your health to your passion, your purchasing and interest habits and hobbies. You will be “addressable” in more ways than ever.

Power To The People Is Not Easily Granted. There is a lot of money and interest to be gained by organizations and governments in having the power to pervade one’s privacy. The laws of control suggest that most people who are in charge of organizations and governments will not easily be interested in ceding control of the aphrodisiac, which is spying on those whom they can potentially manipulate.

Is privacy a right? There is a lot to be learned from the debate. However, most of the debate is, in my opinion, an intellectually dishonest conversation. The real debate rests on the central question of whether or not privacy is a human right and, if so, what we must do to protect it and cherish it.

In the meantime, security professionals and businesses who are entrusted with data which have become obvious to protect will continue to bear the cost and operational responsibility to try to husband these protections as best they can in face of an insurmountable challenge.

If you care about this subject, I encourage you to take up the struggle and start calling for energy around a national law in pursuit of a constitutional amendment to settle once and for all the question of whether or not privacy is a right.