Avoiding an Orwellian future through effective regulation
Mon 5 Mar 2018 | Eve Salomon
Eve Salomon, Chair of Privacy International, has spent her career upholding individual rights through regulation and law. Now, in an age of unparalleled technological advancement and the ever-increasing flow of personal data, she is working to protect individuals from both corporations and the government.
Here she speaks to The Stack about what the newest waves of technology mean for us as individuals, as well as how businesses will deal with the upcoming GDPR.
The team at Privacy International advocates for the right to privacy, regardless of who or where you are. With a global outlook, it works with other charity and pressure group partners to build a source of expertise on law, policy and technology.
As well as advocating for better privacy rights, it works to reveal the extent of state and corporate surveillance, and in particular, the way that sophisticated, modern technology combined with weak laws allows serious encroachment into people’s privacy.
How our dependence on the web affects our rights
With those aims in mind, Salomon sees the general dependence on electronic devices and ‘vast global networks’ as a major issue for the individual.
Given how much of our lives are spent online, and how much information we share, this dependence means there is a lot at stake, and a lot to protect. Poorly secured systems lead to hacks and breaches, which leave people vulnerable and have catastrophic consequences for their privacy.
Trusting governments and companies with your data is like letting a bank protect your entire life savings with a single padlock
Middle East and North Africa cybersecurity expert Joyce Hakmeh from Chatham House argued in a recent interview with The Stack that one of the issues with legislation in countries in the MENA region was the focus on criminalisation of online behaviour, rather than providing true online security.
Salomon argues that this is, in fact, also the case in countries that might be considered to have more ‘developed’ cybersecurity legislation and regulation.
She believes that when governments argue for cybersecurity they are actually far keener on increasing surveillance and monitoring online behaviour through repressive cybercrime laws than they are on addressing core issues around why our devices and networks are so insecure in the first place.
Trusting governments and companies with your data, argues Salomon, is like letting a bank protect your entire life savings with a single padlock. Organisations, including national governments, she says, build networks, devices and systems that gather vast amounts of data without regard to risk, security or data minimisation.
It’s not just the right to privacy that’s put in danger by a flippant attitude to data protection. The right to be free from discrimination can be damaged as a result of insecure data, as well as our freedom of expression. This means that when we think about cybersecurity, human rights should be an inherent part of the discussion.
Are organisations ready for GDPR?
Businesses should certainly be prepared for the GDPR, given the length of time they have had to get ready for it, says Salomon. Not only have they had two years to change policies, but the move to become GDPR compliant, she believes, is not such a big jump as is often made out.
She describes GDPR as an evolution rather than a revolution in data protection law – if organisations were compliant with the Data Protection Directive, which is already in place, they would be most of the way towards GDPR compliance. They should, therefore, be able to deal with the requirements of the regulations coming in from May.
There are, of course, some big differences. GDPR provides some important weapons for fighting the power imbalance that Salomon argues currently favours the state and industry over the individual.
For these to have the desired effect though, there will need to be measures in place to ensure that the protections are not undermined by exemptions or derogations put in place by national legislatures, such as the UK Data Protection Bill which is currently on the table.
There is a many-pronged approach necessary to making GDPR work. Organisations which are currently lacking in their commitment to data protection need to pull their socks up and ensure this happens.
Many internet connected devices collect data without any transparency about why they do so and who it is shared with
Civil society, which includes organisations such as Privacy International, needs to play a central role through education and helping individuals understand their rights, as well as by exposing harmful practices and holding poorly-performing companies to account.
Finally, it’s important that enforcers are given the proper resources so that they can implement regulations with a firm hand.
The effect of IoT on data protection
Security problems have been exacerbated by the growth of connected devices, argues Salomon. Many of these types of devices collect data without any transparency about why they do so and who it is shared with. Many of them are also inherently insecure and go to market with potentially severe vulnerabilities.
One of the most notorious examples is the Furby Connect which allowed hackers to directly communicate with children through a security flaw. The manufacturers of devices like these, says Salomon, need to start introducing security by design, a surprisingly rare feature given their popularity. This could be implemented either through a statutory requirement or through market incentives.
The UK as a global cybersecurity leader
According to Salomon, a lot of what the UK government currently does works well, in terms of cybersecurity good practice, but there is a lot more to be done to make it a model for the rest of the world.
There is a particular challenge in this area because technology changes and develops at a lightning pace, whereas legislative timetables are comparatively glacial. This means that safeguards struggle to keep up – a problem that occurs worldwide.
Given the interconnected nature of cybersecurity concerns, the world is only as strong as its weakest link, meaning countries like the UK have an opportunity to step up and establish themselves as true global leaders.