Do-Si-Do – dancing with privacy: Trump and Cybersecurity

Dprivate-danceruring the current U.S. president’s administration, we have seen a tremendous effort in protecting digital assets and cybersecurity. Industry experts tend to feel that although the initiatives do not take us as far as we need to go, they have covered immense mileage. Will this change under the new administration? Experts disagree on the answer.

President-elect Trump’s website provides an overview of his initiative, namely launching cyber-offense. We must keep in mind that this website is pre-office and like many presidents, subject to change once reality hits. But let’s look closer at some hints we have at what might be coming or disappearing.

On his campaign website, Trump declares four points as his vision:

  • Order an immediate review of all U.S. cyber defenses and vulnerabilities, including critical infrastructure, by a Cyber Review Team of individuals from the military, law enforcement, and the private sector.
    • The Cyber Review Team will provide specific recommendations for safeguarding different entities with the best defense technologies tailored to the likely threats, and will followed up regularly at various Federal agencies and departments.
    • The Cyber Review Team will establish detailed protocols and mandatory cyber awareness training for all government employees while remaining current on evolving methods of cyber-attack.
  • Instruct the U.S. Department of Justice to create Joint Task Forces throughout the U.S. to coordinate Federal, State, and local law enforcement responses to cyber threats.
  • Order the Secretary of Defense and Chairman of the Joint Chiefs of Staff to provide recommendations for enhancing U.S. Cyber Command, with a focus on both offense and defense in the cyber domain.
  • Develop the offensive cyber capabilities we need to deter attacks by both state and non-state actors and, if necessary, to respond appropriately.

These are ambitious goals and he further elaborated on them in several speeches, such as the one he highlights on that page to the Retired American Warriors.

Cabinet choices: some of the individuals selected for cabinet positions (Attorney General and Director of the CIA) are causing a few concerns in the privacy world according to CNBC.

The president-elect’s selections for attorney general — Sen. Jeff Sessions, R-Ala. — and CIA director — Rep. Mike Pompeo R-Kan. — have argued publicly that the government needs greater surveillance powers.

McSherry said Pompeo poses a particularly worrying risk to American citizens’ privacy, as he has advocated for things like the routine mass collection and use of “social data” from third parties, like Facebook and Alphabet‘s Google. Pompeo has also called for Edward Snowden to be put to death, said Chris Calabrese, vice president for policy at the Center for Democracy and Technology.

In addition, Trump reportedly disagreed stringently with Apple’s refusal to help the FBI hack into a terrorist cell phone (you remember that story, right?). Supposedly, Trump called for a boycott of Apple products. Now we all have opinions on what was the right thing to do there, but I personally know few people who supported assisting the FBI (I opposed it and I am a diehard FBI fangirl). The issue is no matter how much we love the law enforcement of the USA, we also love the people of the USA and that includes all of their rights and responsibilities guaranteed under the Constitution. We can argue all day long what exactly that means, but if the arm of the government kept its fingers in the pies it should, there would be no problem with privacy. Unfortunately, the zeal for ferreting out bad guys seems to carry no counterweight with some law enforcement. And the history there is unden
iable.

But let’s get back to the Trump administration and cybersecurity.

He is openly supportive of the US launching offensive cyberattacks (as evidenced by his own statement provided above). Now, I am not a politician or policy-maker, but I see both good and bad there. I’d love to hear from true cyber-experts if that is the way to go. In most competitions, being strong defensively as well as offensively is highly advised. But will there be a system of checks and balances that draws a clear, uncrossable line? BEFORE there is real harm?

I, for one, truly hope that the new administration continues to build on the advancements made by the current administration. As a nation, we must protect ourselves; but as individuals, we must also protect ourselves and each other. We must avoid a mob-mentality and not give in to mass hysteria…unless a situation becomes so untenable that it takes a national uprising to protect our rights and wellbeing.

I am just not sure what direction that takes or what music it’s dancing to…

What I am sure of is that Trump thinks more in terms of business than politics. Given his recent meeting with Silicon Valley icons, my hope is that he will play ball – or as the title suggests  dance like a businessman (sorry, not sorry) and look for the greater partnerships, which just might be a good thing for us, our privacy rights, and our national cybersecurity efforts. We will have to watch carefully and quickstep if we see it going the other direction. I am afraid this is not one issue that can be stopped easily if it gains tremendous movement – and that can apply in either direction. So here’s to dancing in the right direction!

Advertisements

Lights! Camera! Privacy! wuuuut

privacy-movie-cutWhat?? Movies about privacy? I mean, cutting edge, action-packed, thriller movies about privacy! Not since the Alfred Hitchcock horror classic Psycho where the poor girl’s privacy was blown to bits (or stabbed to bits) has privacy been so prevalent in movies. (and anyone who doesn’t think killing a naked woman in the shower for entertainment purposes is about privacy .. . define “naked”)

Jason Bourne. Silicon Valley, megabillions, internet start-up conspired with the CIA to build in back doors in exchange for funding and then only tried to stand up for privacy once the start-up Deep Dream made all their money. I make no judgments about their lack of reality with technology, just that to the masses, when the CEO tells the CIA director played by the amazing Tommy Lee Jones, “Privacy – you should be protecting it!” (or something like that, I was writing on a napkin in the dark, people) – it was stellar!

There was a party in my privacy geek genes.

And then! Then it really went crazy when I saw Now You See Me 2. First, I love this movie. Movies that keep me guessing…don’t happen often. This one did. LOVED IT. Not to mention the amazing cast of characters. plus magic. equaled MAGIC!! And again, about privacy. The wizard, no wait, magician – no, he wasn’t a magician, he was a paranoid spoiled illegitimately-claimed illegitimate son of a millionaire who wanted to steal a chip that provided back doors into everyone’s life. He wanted to be private. And he claimed that you cannot reform the system from within it (which has major philosophical implications for a later discussion).

But wheeeeee – the privacy geek genes are still partying!

 

 

 

Why Work in Privacy?

top 5Often, when asked what I do, the person is totally flummoxed when I respond that I am a privacy attorney. Sometimes, they will even ask – what does that mean? Well, if I said I was a contract attorney or a patent attorney, they would understand, right? It means I handle contracts or patents – or specifically in my case, I handle privacy.

Ah – that’s the problem, they don’t understand privacy. I mean, seriously, how do I find enough work to fill 40 hours a week?

Privacy is the concept that information about ourselves is only shared to individuals/companies  whom we want to know those things about us.

Simple, right? Not so much.

So why would anyone want to work in privacy? All day long, every day, the whole year, for decades, we fight a battle that few people ever see. It’s like starring in a vampire drama – there’s a fight happening in a world that most people don’t see and would not believe. And like vampires, we typically work in the dark, our emergencies happen at night, and we live off a critical element that is very personal to people….data. And to most of our colleagues, we’re the boogie men who come to steal your profits while you’re sleeping (or when you’re bad).

So why work in privacy?

My top five reasons:

  1. I’m such a geek rebel that I C# and bleed java. I am building a complete Padme parade dress costume for ComicCon. My UAV isn’t even registered. I speak in movie quotes. And Sheldon is my hero. Bazinga!
  2. Unlike most corporate attorneys, I may work for the company, but my job is to protect the little guy. I always did go for the underdog – I liked Tom Wopat not John Schneider and I preferred Larry Wilcox to Eric Estrada. I may look like a heartless corporate attorney, but really…I’m all squishy inside.
  3. The field is growing by leaps and bounds. Everywhere you turn, there is data being collected, used, shared, abused, lost, forgotten, manipulated, and more! Technology is getting smaller, stronger, and can  hold more data.
  4. The privacy field is a gender neutral one.  Perhaps because of the way it grew up, women tend to  have equal pay and leadership roles.
  5. My ADD (Attention Deficit Disorder) has free reign! I am  never bored; I can work on 46.3 projects at a time; and given how fast the field changes – if I don’t like something, it is likely to be different tomorrow.

Being a privacy professional is a calling for certain people and requires flexibility, rampant curiosity, thick skin, and a relentless gift for persuasion. If you don’t love it – don’t get in it. It is not a profession for those seeking glory or an easy desk job.

Teachers gone Wild: Lifestyle Privacy

Many public sector employees are held to higher standards than the average person due to the nature of their position and their potential influence on other people. Should they be? Is this discrimination? Is the discrimination justifiable?

bad teacher

courtesy of sony pictures

At times, we see a morals clause used to address potential misbehavior. A morals clause is a contract provision, typically used in relation to public figures (athletes, acting, news and political personalities) that prohibits the employee engaging in certain acts. These disallowed acts may include inappropriate sexual acts or drug use, but can include requirements that the employee “dress neatly in public, to conduct himself according to the highest standards of honesty and sportsmanship, and to refrain from doing anything that would be detrimental to the best interests of the team or league” (for further information, please see this article).   Engaging in social media insults of one’s employer could fall within a morals clause, but would not be something the typical employee/employer would encounter – although it is becoming more common for executives.  This, however, completely aside from the National Labor Relations Board’s decisions and guidances on social media policies.

Additionally, there are still certain career fields in which the employees are seen to be role models to our youth. One example of this relates to the private lives of teachers (see this story on a kindergarten teacher fired for nude photos). Before the advent of social media, teachers’ private lives were more easily separated from their professional lives. While being subject to public scrutiny may not be new, having one’s personal life so easily available is relatively new, as is facing severe repercussions from them (and this does not acccount for the egregious phenomena of impersonators).  Courts have taken two avenues to evaluate whether a teacher’s private actions are subject to employer review: a public official view or a student-speech view (whether the speech would substantially interfere with the educational duty) (Miller 2011).

Miller states that “[t]here are basically four types of internet speech that could put at risk a teacher’s relationship with his or her school district: 1) befriending students on social media sites and communicating inappropriately with them, 2) criticizing the district, school, students, parents, or the community online, 3) posting what school districts may deem as inappropriate photos  or comments (usually things that are sexually explicit or that promote alcohol or drug use, and 4) commenting on political or social issues.”  Teachers may see more disciplinary action and control if their private-life postings are viewed from a perspective of being a public official and in a position of trust than if considered whether their posting substantially disrupt the educational duty.

The question that we face is “Is this right?” Is it okay to restrict a teacher’s private life because we feel that they should be held to a higher standard than other people? What about cops, firemen, nurses, doctors, lawyers, preachers, etc.? More specifically – or more generally, I guess – is it fair to hold anyone to a certain standard in their private life as long as the behavior is not illegal?

Which brings us to lifestyle laws (more appropriately called lifestyle anti-discrimination laws, but for the sake of brevity and ease of conversation, I will call them Lifestyle laws). Lifestyle laws prohibit discrimination against someone at work based on their personal lifestyle choices – and in most cases, this is directed towards risky health behaviors, such as smoking, as applied to health insurance premiums through one’s employer.  In many states plus the District of Columbia, employers are prohibited from banning employees from smoking off work premises. Plus, twelve states protect the use of any lawful product during non-work hours, such as alcohol or even unhealthy foods. Currently, only California (CAL. LAB. CODE § 96(k)), Colorado (COLO. REV. STAT § 24-34-402.5(1)), New York (N.Y. LAB. LAW § 201-d(2)), and North Dakota (N.D. CENT. CODE § 14-02.4-03) have comprehensive protection statutes that protect employees for any lawful activity outside work.

Not only do the various state laws differ in what behavior they protect, but courts interpret them differently. Once you mix in social media, it’s a circus out there! People should be free to do what they want to do within legal boundaries and laws should not be required to permit people to do so. Good googli moo.

Keep in mind that there are federal laws (Title VII of the Civil Rights Acts of 1964) against discrimination of protected classes and disabilities (Americans with Disabilities Act)- so lifestyle laws are in addition to any protection under these areas. Plus, in general, government employees are protected by equal protection and due process clauses of the federal constitution.

I leave you with this thought – are we as a society free to engage in lawful behavior even when it indirectly impacts others’ lives (such as higher health care costs)?

 

Executive Women in Privacy – my recollections and reflections

This past weekwip,  I had the privilege to speak on a panel with three amazing women, Ruby Zefo (intel), Sharon Anolik (Privacy Panacea), and Debra Bromson (Jazz Pharmaceuticals) – moderated by Lourdes Turrecha at the inaugural Privacy+Security Forum in DC. Our topic: Breaking the glass ceiling – executive women in privacy.  We have all been to other presentations on this same or a similar topic, so we were determined that we would present candid, authentic, and hopefully inspirational content. I did not take notes, so we are relying on my admittedly poor memory to bring you the best of what I took away – without attribution to the speaker in an effort to preserve the safe environment.

Challenges we faced and how to overcome them:

In privacy, whether staffed in the legal department or not – it is hard for others in the business and in legal to comprehend the impreciseness of our area of law. Privacy means complying with laws/rules/regulations. We all happen to be attorneys, but privacy executives don’t have to be lawyers. Privacy is a fluid, rapidly developing, and capricious field. For us, we have faced the same challenges that most women in law face. We have faced people not knowing what the heck we are doing or aiming for. We have faced the typical challenges of working in male-oriented fields – technology, medicine, etc. And that is a situation that women in privacy face whether they are lawyers or not.

Best advice

  • Be flexible. Be creative.
  • Be business savvy.
  • Demonstrate your value. Toot your own horn.
  • Do not waste 30 seconds in an elevator with the CEO cracking a joke…be prepared with a recent accomplishment to share that contributed to the company.
  • Bring yourself to work, but keep it professional.
  • Be authentic.
  • Leave toxic environments.
  • If you are meeting with executives, be an executive presence. If you are meeting with IT, dress to fit in. You don’t have to agonize over it, but impressions count. Do they see you as one of the gang? Don’t set yourself above them just to make a point.

Is the privacy field an equal playing field for women?

In most part, yes. Some of us have not really seen the inequality in our privacy area, but it still exists within the company. We have met the “Queen Bee” – that woman who rules the roost and is unwilling to help others or share the limelight – but not really worked with such people in privacy. Okay, well, maybe we did, but it’s old school and we managed to change the situation.

In general, our technical counterparts are typically male. Learn to work with them. And in most cases, form a bonding relationship where there is mutual trust and respect (mine was my “at work husband”). Don’t be afraid to ask them to “dumb it down,” but also don’t be afraid to challenge them.

We are often still the only woman in the room. I am unapologetically feminine and proud of it. It does not mean that I am inferior. And we certainly don’t help ourselves with apologizing for being women – which is what we do when we act as if we expect to be treated as inferiors. Do we have to prove ourselves? – yes. But we already earned the position, so we deserve it. which leads to the….

Imposter syndrome

Do we feel like imposters? I do, just sitting on this panel. I am ambitious. I have been an executive and also not an executive – and not in a linear path. I have taken jobs that were a step back in rank in order to step up in expertise. All four of us came from different perspectives, but in general, the tone was that we have earned what we have. It may be a tendency of women to think that we have somehow been put in a position that we don’t truly deserve, but that is our own self-doubt and not something that anyone pushed on us.

When given more responsibility, one women faced quite a few people who asked if she was okay – was she going to be able to handle it? Her response – if I were a man, that person would have said congrats, it will be tough, but you have already shown that you can handle such responsibility. And she told him so.

Take-aways

The points to take away from this panel were that we are accomplished, qualified professionals who happen to be women. We face unique challenges, but being confident in your talents and skills will take you far. How to take that next step? Volunteer. Network. Don’t be afraid to stand up or stand out.

Be unapologetically you. As long as you are not a serial killer.

Electronic Frontier Foundation’s Open Letter to Facebook

Disclaimer: a privacy person at Facebook was in touch with me through mutual friends, but at this time has merely reiterated the request for ID. Hopefully, she is working back channels to help.
letter to fb
The Electronic Frontier Foundation has posted an open letter to Facebook about the social media’s authentic name policy. You can sign this open letter on that link.

“Even though Facebook claims it has improved its policy, users continue to get kicked off the site, losing access to support groups, an essential political platform, and all their contacts and content. Some users have even had accounts reinstated with their legal names, putting their safety at risk.”

This resonates with me on so many levels, especially the loss of access to support groups. I use one support group for my autoimmune disorders and it’s on Facebook. In addition to losing the connection with so many people in one convenient spot, I lost the one support group that truly helped me make it through life’s challenges. Good googli moo! I just admitted that social media is truly a worthy endeavor.

Here are the demands:

• Commit to allowing pseudonyms and non-legal names on your site in appropriate circumstances, including but not limited to situations where using a legal name would put a user in danger, or situations where local law requires the ability to use pseudonyms.

• Require users filing real name policy abuse reports to support their claims with evidence of abusive behavior.

• Create a compliance process through which users can confirm their identities without submitting government ID.

• Give users technical details and documentation on the process of submitting identity information such as where and how it is stored, for how long, and who can access it. Provide users with the ability to submit this information using PGP or another common form of encrypted communication, so they may protect their identity information during the submission process.

• Provide a robust appeals process for users locked out of their accounts, including the ability to speak to a real Facebook employee.

I openly signed the letter and encourage others to do the same. If proof of identity – if real names – were so vital to social media, it would be a requirement to sign up. People would know this openly beforehand.

A variety of groups signed the letter, including the ACLU, the Center for Democracy and Technology, Digital Rights Foundation, One World Platform, Global Voices Advocacy, and Human Rights Watch. Given the incredible amount of damage that this policy can cause to people – from direct threats to indirect – one would think that Facebook would rethink this policy. Perhaps the most frustrating is that once you are blocked for their review….you cannot reach anyone there to discuss it.

To be clear: my real name is K Royal and I support social media. I loved Facebook and its potential.

signed,
Authentically K Royal

Fired by Facebook?!

Screenshot_2015-09-25-12-31-22I was recently fired by Facebook*. Not as an employee, as a customer – even more shocking, right?

Here’s the thing…I opened my Facebook account and saw this message – confirm my identity. As a privacy attorney, I thought nothing of it….wow, a social media platform adding extra security steps. Except it’s not a security step for my account.

The next screen asked me to enter the name by which I am conventionally known. Well, I entered my name “K Royal” which rather than thanking me for my prompt attention took me to a page in which I was asked to submit government identification to prove I am me. I was outraged! and that is an understatement.

Turns out, if one does not wish to upload two forms of government ID, one can choose from about 30 non-government ID options, but at least one must contain a photo and date of birth.

Funny enough, I had just posted my nursing badge in the whole #nursesunite campaign against TheView for mocking Miss Colorado, although Ellen Degeneres countered that brilliantly.

This is truly and utterly ridiculous. Let me count the reasons:

  1. It’s a social media site. Not a government benefits site or healthcare or financial or education. Social. Fricking. Media.
  2. Facebook has questionable privacy policies – have you heard?
  3. They’ve been engaged in this ridiculousness for a couple of years and caught some heat for it.
  4. They say that there is no algorithm to detect potentially unreal names, but they tend to target groups of people.
  5. They say they want your “authentic” name – the one you go by on a daily basis. How many of us would be caught by that, because the name we go by is not on government ID? In this digitized world, it is very difficult to get government ID or an ID with a picture and a date of birth showing a nickname rather than a birth name. Consider my cousin, Skinny, who has gone by the nickname “Skinny” for 70 years or so. The only ones who even knew his government ID name were his mom, brother, and the Social Security Administration. He was forced to change it to Michael on Facebook, because they would not accept the name he went by in daily life and he did not want to upload three forms of ID to prove Skinny. I was ready to battle for him, but he decided to acquiesce. I should’ve battled, cause look at me now.
  6. My name is K Royal. Yes, at one time, there was something else there, but it is no longer. Has not been for many years. I have gone by K since at least I was six years old. I have about 100 different stories behind my name, but the point is- K Royal is my true, legal, documented, full name.
  7. What the heck will Facebook do with my ID if I do send it? which I won’t.
  8. It is easier for them to Google “K Royal privacy” than it is for them to review anything I did send.
  9. Sending ID over open email is utterly, unequivocally stupid.
  10. Facebook does not offer a secure alternative to sending ID, anyway. And if they did, I still would not trust them.

So I have been fired from Facebook. One of the privacy professionals who truly enjoyed them. They have not yet answered my communication to them asking about it. I am apparently no one to them, but on the other hand – I just might finally get an instagram account!

Fired.

Don’t let the digital door hit you in the button on the way out.

*Facebook is a trademark owned by Facebook, Inc. any other trademarks used in this post are the owned marks of their respective companies.