Since the implementation of the Patriot Act in 2001, an act implemented after 9/11 to increase national security by collecting our phone’s data and increasing surveillance, the United States Government has been collecting our data, undermining our personal freedoms in the name of counter-terrorism. The digital age has allowed for the execution of this to be extremely easy. Big tech companies, like Facebook and Google, store our information about what we search or like, and the government has access to this information as well. The extent of this information is scary. These companies can analyze all of our patterns and habits on social media, and can even figure out their emotions based on their actions. The majority of people were unaware of the amount of information the government had until 2013, when Edward Snowden, a whistleblower who worked at the CIA and as a contractor, leaked classified NSA information and let the people know how much data the government gathers. Snowden’s actions remain on the controversial side in the US. While he gave information to the people and exposed the government, he also leaked classified information, putting the US Security at risk and is considered a traitor according to the US government. Snowden revealed that the government, through the articles in the Patriot Act, had complete cyber power, and his actions severely decreased the amount of power that the US had. His actions have created a debate in the US that is still occurring today. However, while many people are upset about the amount of information the government has access to, not substantial change to the surveillance laws has happened. This means that the government still has access to our social media profiles as well as texts and emails we send to others.
With all the data and power that the US Government possesses, you would hope that the government would know how to protect it, right?
This is not the case. While foreign intelligence operatives having access to our information is a security risk to the United States, the government seems to not put a high level of protection or importance on our information as they do on other classified information. On several occasions in the past 20 years, the government has put millions at risk through their mishandling of our data.
As seen in the timeline, the United States Government has had many data breaches in recent years, many of them being their own fault. Whether it be losing a computer or poor security, the government does not have the capacity of handling our sensitive data. One suggestion is to upgrade their security on our information. Looking more closely at the first breach on the timeline, the US Department of Veterans Affairs breach in 2006, this simple solution could have stopped the whole situation from occurring.
In the case of this breach, a data analyst at the Veterans Affairs office had a computer containing unencrypted information of 26.5 million people at his house. His house was broken into and the computer was stolen. The thief then had access to all 26.5 million names, Social Security numbers, and disability ratings that were on the computer. The people impacted were active and former military members and their families. The situation was in limbo for a few weeks before the laptop and hard drive was returned. However, it was unclear how much data the thief could have taken before returning the device. Families feared their identity being stolen. The VA sent out letters to the families affected to look out for suspicious activity regarding their personal information. Millions of families were at risk all because of a stolen computer. All the VA needed to do was encrypt the data to give a little more protection, as well as not allow computers to be sent home. These simple steps would have prevented this entire situation.
It was clear after this incident that the government agencies need to upgrade protection for our families information. However, this attempt to upgrade security never accomplished its original intent. Millions of more people were at risk due to poor security that allowed hacking and the losing of media.
In January of 2020, the Federal Trade Commission promised better data security for the government, companies, and consumers. However, this was another failed attempt at improving the security of our data. In September of 2020, the VA had another breach, impacting 46,000 people. While this breach is significantly smaller than the breach in 2006, it is clear that the government is still unequipped to handle our information. Furthermore, there have been at least 443 government and military data breaches from 2014-2018, varying in size, and impacting close to 100 million people total.
It seems as though that there is nothing that the government can do to secure our data, as they have tried to upgrade it and failed on several occasions with the current budget given to it. The two possible paths that the government can take to protect the people are to stop collecting our data, or to invest money into our security systems. For the first option, it does not seem viable as the government does not want to stop acquiring our data, and many people still support the government gathering data in the name of stopping terrorism. However, the second option could be effective. Eventually investing in security will pay off because it costs taxpayers and the government thousands of dollars in the data breaches resolutions.
On a local scale, here at W&L, we have extensive security measures to try to protect our information, including Duo, that secures our logins into our university accounts. W&L does have access to a fair amount of data, however, they do not have staff or care enough to be tracking us like the US Government does. To find out more information about what they do here at W&L to protect our data, I interviewed the Chief Information Security Officer for ITS and asked him about W&L’s policies.
Transcript: “You know what we do with data protection is first and foremost is strong authentication, you know, so usernames and passwords, complexity requirements, and the multi-factor authentication. That’s that first layer of protecting the identity because that’s what for the most part is the biggest weakness for people, you know people are the weakness. We secure computers fairly well, it’s now we are trying to pivot in making sure that the people are also secure. And so access controls are that next layer, you know, things like, you start with the concept of least privilege, you don’t just because somebody is in the business office doesn’t mean they have all access to all the data in there. Or in the registrar’s office, there’s least privilege, so people have access to what they need to get their job done, and that’s it. And so if there is a breach, or an exposure that’s caused by say credentials, you know, then usually it’s going to be limited to what that person had access to as opposed to the entire keys of the kingdom. The third kind of major layer that we try to make sure all products and services incorporate is data encryption, and that’s encryption while the data is in motion, meaning you’re accessing it via the web and https, that’s in motion, and then data at rest is that data in a database. It’s all the way down to either disk encryption or field level encryption in the database. Another layer that we try to make sure that everybody understand is that the data classification, and so we have basically three levels of data, and so if you want to think about that the way, confidential data has the most controls around it, so that’s the things that would get us legal obligations or contractual obligation to make sure that data is secure. The next layer is sensitive, and you know drivers licenses, Social Security numbers, all of that is that confidential. The next layer is sensitive, you know for an institution like us, let’s say sensitive data would be about our alumni community and the donors, how much they’ve given and things like that. It’s not gonna get us into trouble, per se, it would get us into hot water with our alumni, but it wouldn’t be a legal battle over ‘hey you disclosed how much Dean gave this year’ so that’s that next tier of sensitive data. The third and final tier is like public data, our campus map, it’s meant to be consumed by the public, but we don’t want the public modifying it, so that would have the least amount of controls around that, who has access to modify that map, and then we publish it on the internet, and then it’s there and then we say that’s our map, that’s our campus, you know that kind of thing. It is publicly available, but who can modify it is not public. The other thing would be around when we have services, so some of our data is onsite, some of our data is offsite, some of our data is processed by third parties. In all of that we have, we try to review all contracts and make sure that there is language in the contract that says this vender is going to do what we want with our data, or destroy it at the end of a contract. That’s something that has come up multiple times in some of these breaches that you’ve been hearing about on the news, some of it is old data that should’ve been deleted that never was deleted, so when this third party company is breached, there’s old data that should’ve been deleted, purged, is there and it’s now exposed, and so we try to ensure that all of our contracts have those kinds of language in there to make sure that our venders are doing what we want with our data. And the last little bit about what we can do is awareness training for our employees, you know everybody is just making sure that people are aware, what are the risks, how can you avoid them, and what are the controls we have in place to help make sure that we don’t have things that are exposed inadvertently or on purpose.”
The most significant contribution that can be made to stop the majority of data breaches is to limit the amount of information that people have access to and to make sure that the people handling our data know what they are doing and are proceeding with caution to ensure that no mistake can occur. So while upgrading our defense in the government against hackers while ultimately be beneficial and would work to some extent, the most effective solution to protecting our data is to have the people working in the government care about the people that they are serving. As seen in the VA case, all that was needed to stop this from occurring was to not have the computer that housed our data not in a secure location. This is the case for many others as well. So while constantly upgrading our defenses against hackers would help, the most important thing the government can do is to start taking our information and our lives more seriously.
Sources:
Baker, Peter. “Moves to Curb Spying Help Drive the Clemency Argument for Snowden.” The New York Times, 4 Jan. 2014, www.nytimes.com/2014/01/05/us/moves-to-curb-spying-help-drive-the-clemency-argument-for-snowden.html.
Center, Electronic Privacy Information. “EPIC – Veterans Affairs Data Theft.” Epic.org, epic.org/privacy/vatheft/#:~:text=May%2022)-.
“Cyber-Insecurity: Computer Theft Puts Veterans’ Data at Risk.” The New Atlantis, no. 13, 2006, pp. 110–113. JSTOR, www.jstor.org/stable/43152272.
Levin, Sam. “Facebook Told Advertisers It Can Identify Teens Feeling ‘insecure’ and ‘Worthless.’” The Guardian, 1 May 2017, www.theguardian.com/technology/2017/may/01/facebook-advertising-data-insecure-teens.
Ogrysko, Nicole. “VA Data Breach Exposes Personal Information for 46,000 Veterans.” Federal News Network, 14 Sept. 2020, federalnewsnetwork.com/veterans-affairs/2020/09/va-data-breach-exposes-personal-information-for-46000-veterans/.
Smith, Andrew. “New and Improved FTC Data Security Orders: Better Guidance for Companies, Better Protection for Consumers.” Federal Trade Commission, 6 Jan. 2020, www.ftc.gov/news-events/blogs/business-blog/2020/01/new-improved-ftc-data-security-orders-better-guidance.
“Surveillance Under the USA/PATRIOT Act.” American Civil Liberties Union, 2002, www.aclu.org/other/surveillance-under-usapatriot-act.
Weinstein, Dave. “Snowden and U.S. Cyber Power.” Georgetown Journal of International Affairs, 2014, pp. 4–11. JSTOR, www.jstor.org/stable/43773644.
Wikipedia Contributors. “List of Data Breaches.” Wikipedia, Wikimedia Foundation, 4 Mar. 2019, en.wikipedia.org/wiki/List_of_data_breaches.
