Protecting Privacy in a World Without Privacy
A well-intentioned but likely doomed effort.
CBS News (“White House, Justice Department unveil new plan to protect personal data from China and Russia“):
The Biden administration is proposing regulations to help the Justice Department stop data brokers from selling Americans’ personal information to “countries of concern,” the White House announced Wednesday.
President Biden is issuing an executive order that will for the first time propose guardrails that shield bulk biometric and healthcare data and financial information collected by businesses inside the U.S. and that are aimed at preventing the material from being transferred to foreign adversaries, including China, Russia, Iran, Cuba, Venezuela and North Korea. The data — including genomic and geolocation information — are collected by tech companies and sold by legal means to data brokers but can eventually make their way to scammers and intelligence agencies abroad.
The regulations announced Wednesday are expected to work to prevent that. Attorney General Merrick Garland said in a statement that the executive order would give the Justice Department “the authority to block countries that pose a threat to our national security from harvesting Americans’ most sensitive personal data.”
Senior administration and Justice Department officials say the goal of the new proposed rules is to prevent bad actors located in specific nations from exploiting the lawful free flow of data by scooping up large amounts of Americans’ personal information for misuse.
Personal information collected by U.S. companies is an important resource that nations like China and Russia can leverage into malicious cyber campaigns or attacks on dissidents and activists who challenge their regimes, the officials said.
The new regulations won’t go into effect right away, but will undergo a series of reviews to allow stakeholders to weigh in on them. The government is trying to minimize any economic impacts. Once enacted, the regulations will set expectations for corporations and data brokers to prevent them from transferring data to certain actors who are identified as being of concern to U.S. national security, according to a senior Justice Department official. Enforcement measures against brokers will follow should they violate the rules.
Data broker sales of personal information to nations like China and Russia will be prohibited outright, while security requirements will have to be met before companies can enter into vendor, employment or investment agreements in those countries.
There’s very little to go on here, but I honestly don’t see how this can possibly work—especially with regard to China. Like it or not, our two economies are ridiculously intertwined and, more importantly, most “American” companies have vast Chinese operations. Given that there’s little distinction between the PRC, the Chinese Communist Party, and any large Chinese corporation, this effectively means the Chinese government already has any information that many of these companies have.
Let’s be careful about the precise demands of this regulation of The Private Sector.
Citizens might get the dangerous idea that government can actually solve problems.
I feel that there is something in this EO that is very specific to TikTok. Some tool that they anticipate using very quickly.
It might also have some impact on Russian info-ops, since I think they love to do tightly targeted disinformation “ads” on YouTube and Facebook. That’s much harder to do without the personal data.
I wonder if the DOJ hasn’t gone to some of these operators FB, etc, and told them “those guys are baddies, please don’t do business with them” and got a reply of “their money doesn’t stink”.
This is a tool to make them think twice. “If you keep selling to those guys, you will be facing a prosecution/lawsuit from the Federal Govt” That’s how I expect this is likely to work.
We are facing a well-funded global disinformation campaign of unprecedented proportions. This seems to be a tool to fight back.
I keep coming back to the idea that individuals need more legal and practical control over their own information, but that brings up a whole nuther set of issues.
I think we can start, though, with legal requirements for corporations, especially those that depend on collecting individual information as part of their business model.
In a world where multinational corporations own so much, I’m not particularly worried about “countries of concern” getting access to my browsing habits or whatever.
China discovering that I watch cat videos and frequently pay my bills on time isn’t worse than the local scammers finding this information.
Put in at least mild, EU level data privacy laws, and restrict data flow about US residents (must be hosted in US, opt-in required for transfer, etc), and then we might make some impact. Until then, it’s not worth bothering with.