Cybersecurity, Emerging Issues in Security, Policies and Training

LinkedIn, FTC, Microsoft, Uber and More Talk Data Privacy

Speaking on topics that included federal legislation, diversity initiatives, and cookie ghostwriting, several officials from big-name companies and agencies spoke during a conference dubbed “The Data Privacy Balancing Act: A Data Privacy Week 2022 Event,” held virtually on Jan. 26. The day’s activities, which included three hours of sessions, were hosted by the National Cybersecurity Alliance and LinkedIn.

Opening up activities for the day was Kalinda Raina, Vice President and Chief Privacy Officer of LinkedIn. “For many of us the events of these past two years have underlined the necessity for data privacy protection and awareness in a big way,” she said.

Federal Legislation

To provide insight on federal legislation, Julie Brill, who serves as Chief Privacy Officer and Corporate Vice President for Global Privacy and Regulatory Affairs at Microsoft, had a question-and-answer session with Federal Trade Commission (FTC) Commissioner Noah Joshua Phillips, who was appointed in 2018.

Notably, Brill also served as an FTC Commissioner from 2010 to 2016, and she said her focus while at the agency was on “privacy, fair advertising practices, financial fraud, and competition.”

Since she left, Brill added, the FTC’s challenges now include “algorithms bias and fairness and algorithmic decision making.”

When Brill asked about upcoming issues at the agency, Phillips said, “I think that there is a trend toward the utilization of more data about consumers on more and different kinds of businesses.”

Phillips said that, even with changing technology, the FTC makes decisions based on whether something is considered unfair or deceptive. Examples of this would include unfair competition or deceptive advertising.

Additionally, he said there is a conversation about “what kinds of harms people are going to take as being privacy harms.”

He believes the biggest issues facing consumers are:

  • cybersecurity;
  • making digital privacy policies easier to understand; and
  • competition between technology companies.

Phillips said that some believe the agency should do more in terms of enforcement against specific algorithms while others believe the courts or Congress should decide.

“I think we’re going to end up getting bad results, both for people in front of us, but also for consumers, if we try to expand our statutory authority beyond what it provides,” he said.

Legislating Privacy

The subject of legislating privacy is also on the mind of Michele Gilman, Venable Professor of Law for the University of Baltimore School of Law.

Gilman is hopeful that the future will include more laws on the use of personal data.

“If Congress can’t agree on comprehensive privacy legislation, the states are going to continue to pass more and more of this as the laboratories of experimentation that they are,” Gilman said.

Gilman was joined by Ruby Zefo, Chief Privacy Officer of Uber, as well as Mary Madden, Senior Fellow at the Joan Ganz Coney Center at Sesame Workshop, during a session entitled, “Considering Privacy in Diversity and Inclusion Initiatives,” moderated by Lisa Plaggemier, Interim Executive Director of the National Cybersecurity Alliance.

While Gilman admitted there are sticking points to why Congress has failed to create a cohesive plan, she is optimistic that federal legislators can eventually agree to one that where universal digital civil rights could be incorporated.

She said that would get rid of “this sort of Wild Wild West situation” and have agreed-upon norms.

“I’m not holding my breath for federal law—you heard it here first,” Zefo said, with a laugh. “I do think we are seeing more calls to action on more fair and equitable ways of treating people.”

Zefo said she feels new laws are not needed for everything but supports incorporating new technologies into the laws that exist, such as equal justice laws.

New Technology

Madden warned that new technology has brought its own problems. She said that COVID-19 brought “experimental and unproven health-related surveillance practices,” such as thermal cameras and facial recognition, to schools and workplaces. She noted concern about disciplinary actions taken against those who failed to comply with pandemic protocols such as wearing masks. 

“If you are worried about what law enforcement will do with a certain technology, then create requirements that they can’t use it for that,” Zefo said, adding that “people create and use technology which can also empower or oppress.”

Even though sometimes people’s use of technology can lead to negative consequences, Zefo continued, “it doesn’t mean we should demonize all of tech.”

Lack of Access to Technology

The speakers at the forum agreed that it’s not an even playing field regarding access to technology.

“Many of the systems were designed without the needs of low-income people in mind,” Gilman said. Specifically, she said systems are incorrectly designed because they assume people:

  • Speak English;
  • Are digitally literate;
  • Have broadband Internet; and
  • Use desktop computers.

Madden said that the inability for low-income Americans to understand how to use technology to access unemployment benefits, when offices were closed due to COVID, led to even more economic distress.

Additionally, she warned that economic distress, like evictions and unpaid credit cards, could greatly impact people’s data profiles long-term for jobs and education.

Speakers agreed that those who experience economic distress should not be labeled for life.

Ghostwriting Cookies

Economic distress could prevent some from purchasing technology that could limit the amount of personal information collected on them, such as anti-tracking software. The new threat of ghostwriting cookies was discussed during the seminar “I Know What You Did Last Summer. Also This Summer. Also Yesterday,” presented by Petros Efstathopoulos, Global Head of Research at Norton LifeLock.

He explained that when consumers visit websites, they get:

  • First-party cookies are directly stored by the website you visit (e.g., user name and password);
  • Third-party entities are created by another entity (e.g., an online advertiser that has an ad on the website that you visit); and
  • Ghostwriting cookies appear to come from the website that you visit but are created by an advertiser who receives all the data.

He said that cookie ghostwriting is “something we really need to keep an eye out for because it kind of demonstrates the evolution of the tracking ecosystem.”

Citing a study done by Norton, Efstathopoulos said “ghosted cookies and third-party cookies are the most prevalent ones” and are “very popular techniques to track people online.”

Businesses and Consumers

Data privacy is an important topic for both consumers and businesses. It is yet to be determined whether state and federal governments will create more data protection laws. However, businesses could see a financial advantage to offering more security over their customer’s data, making them less likely to be victims of cyberattacks. Consumers might be willing to hand over some of their data if it leads to a more customized experience for them as with browser cookies. Data privacy is only going to take on more importance in the future.