Authored by: Morey Haber, CTO/CISO at BeyondTrust
Freedom is the privilege and right to act, speak, or even think freely, without hinderance or restraint. People that enjoy freedom have the power to do so without the fear of retribution or imprisonment from the prevailing government. In today’s state, these are ideological concepts that have mixed results upon an individual as these are slowly slipping away due to social media and the flood of propaganda and fake information. However, there is a tradeoff occurring that is creating an unforeseen balance. As our freedom is under attack, states and governments are enacting laws to protect our data privacy. These decrees keep our personal information private when we choose not to exercise our freedom publicly and even give us the right to suppress, delete, or even interrogate our personal information at rest within an entity. It is a tricky balance. Speak or write publicly and you are fair game for retribution. Remain quiet, and your personal information is protected. If you think this is crazy, let us explore a few examples.
If you are a Twitter user, or follow the President of the United States online, I think my argument is self-explanatory. The feed regularly features news, fake news, conspiracy theories, and even name calling of opponents that do not share the same vision of the President. As soon as someone speaks out against the establishment and expresses their freedom, they are potentially a subject for revenge. The freedom of the individual is now a target by the highest office in the land because they choose to speak out and explain their beliefs. This is the government subduing freedom and discouraging open thoughts for debate at the highest level.
Next, consider myself as an author. I have written three books, speak publicly at conferences on the state of cybersecurity, and have been classified as a “public figure” by one of the largest search engines in the world. To that end, there is a conspiracy theory that associates myself as the creator and author of a fictional character named “John Titor”. As I detail in the Forward of my third book, Identity Attack Vectors, I am not the originator of John Titor nor know who is. To that end, several individuals have created lengthy videos, blogs, and essays associating me with this fictional identity. To the best of my ability, I cannot stop these postings online nor convince the online media from repeating these fake claims since I am considered a “public figure”. The conspiracy theorists have their freedom to express their views on who John really is and I have no freedom to remove or suppress any inappropriate attacks based on this misinformation. I have tried using contact information on each site, but have not engaged in any legal process. Why should that be necessary for someone spreading lies?
Today, anyone can say anything about anyone else online, and unless the comments are a direct threat to your well-being, your freedom is gone. By definition, there should be no retribution by other people or the government, but in today’s world, both are slowly fading away. But wait, we do have our data privacy.
For the average person, who is not considered a public figure, they do have data privacy rights per state and federal government. Typically, data privacy is used to protect information classified as Personally Identifiable Information (PII). This includes everything from your birthdate, credit and financial information, even your social security number. Recently, California enacted the California Consumer Privacy Act (CCPA) that protects consumer personal information when shared between consumers and business, and in 2021, in between businesses as third-party information sharing. The goal of the legislation is to protect consumers from PII abuse and targeted marketing that could lead to intrusive sales or another data breach from an unsolicited source that may possess your information. What is striking about this data privacy protection standard is the similarity to GDPR (General Data Protection Regulation). The GDPR is a regulation in the European Union (EU) for data protection and privacy and also addresses the transfer of personal data outside the EU jurisdiction.
An individual in California has the right to protect their personal data and the right to stop that information from being shared. However, if that data is leaked or shared as a part of someone else’s freedom, the ramifications are in a new legal grey zone. Obviously, if someone posts your credit card information online it is illegal. But what if they post your birthday or address? Are there any legal repercussions? Probably not, even though the data is considered PII. If you need any examples just look at all the celebrities that have their birthdates posted on Wikipedia, or even the data posted about myself listing my previous addresses from when I allegedly created John Titor. And, if you own property, the county which you live has posted a plethora of PII as part of your local property appraisers office. Truly, no one is really immune even though we are moving in the right direction.
Therefore, if you’re a public figure, data privacy is a secondary consideration, but if you are a normal citizen, you can take advantage of the legal initiatives designed to increase your data privacy protections. If you consider your freedom and data privacy as a concept that should go hand-in-hand, you are left with a conundrum. As a public figure, you cannot have both. If you are very vocal online with your opinions, you definitely jeopardise your freedom from potential retaliation. The only true way to maintain your freedom and data privacy is to stay quiet and vigilant about your information being shared. Fortunately, I have chosen not to follow my own advice and believe that we need to be allowed to do both--regardless of your public posture--in order to preserve everything we have fought for. We should have freedom without the fear of retribution, and data privacy, regardless of how visible we are in the public spotlight. They should not be mutually exclusive.