In the realm of digital privacy, Eric Hughes' seminal cypherpunk manifesto provides an important lens through which to evaluate the Biden administration's February 28 executive order (EO). Although EO is intended to protect sensitive information from misuse by foreign adversaries, a closer look reveals a short-sighted approach that falls short of the cyharpunk vision of enhanced privacy.
Hughes' definition of privacy emphasizes the power of selectively revealing oneself to the entire world, including foreigners and U.S. citizens. Mr. Hughes emphasizes the importance of individual ownership in managing personal information. In his view, privacy is not just about keeping secrets, but about having the autonomy to choose what information to share with whom, including advertisers, data brokers, foreign hackers, and representatives of U.S. law enforcement. It is said that
For Hughes, top officials in the Biden administration have ignored efforts to address the broader issue of allowing individuals to protect the sensitive data they choose to share with others from foreign or external threats. It is likely that the focus will be on protecting data and the scope will seem half-hearted.
The EO emphasizes the need to control personally identifiable information (PII) shared with international organizations. “The unrestricted transfer of large amounts of sensitive personal and U.S. government-related data of Americans to such countries of concern could exploit such data for a variety of illicit purposes, including participating in malicious cyber-exploitation activities. there is a possibility” “
That's all well and good, but the bar to set to protect personal privacy is pretty low. Not to mention the idea that large datasets of PII should be prevented from being freely shared with actors in countries of concern. We will take a more nuanced view of personal privacy and ensure that no matter where sensitive data travels, whether it is to 'countries of concern', within our own borders, or even to our own governments. , require the ability to have ownership and autonomy over sensitive data.
While protection from foreign actors is important, true security and privacy requires a special type of attack, not just defense against external threats from nation-state actors or countries of concern. This requires proactive measures and granular policy controls to help individuals (and commercial enterprises) manage large amounts of sensitive data that is intentionally shared but requires tight protection.
The failure of the EO to address domestic privacy concerns is a significant oversight. By focusing solely on protecting data from foreign exploitation, the order ignores the reality that bad actors can violate privacy in the United States. Hughes believes that true privacy protection must encompass all potential threats, whether those threats come from abroad or domestically, and even from one's own network of contacts. I would argue that there is.
In line with Hughes' vision, truly enhancing privacy requires individuals (and organizations) to take two steps:
- Defend by protecting the sensitive data we own from theft by malicious parties.
- They play an offensive role by taking ownership of the data they choose to share with others.
Enhancing privacy is not just about taking defensive and reactive measures against external threats. It is also about demonstrating initiative and forcing government agencies to deploy offensive and proactive tools to maximize control over the data they voluntarily share.
We too can benefit from higher standards of personal privacy. In addition to giving your data the proper respect, you also maximize the value and usefulness you get from it because you have confidence in its integrity. When we can control the fate of our own data: protect it with encryption controls, share it securely with people and entities of our choice, and change our minds about who has access to it. You can retain the ability to revoke it. We will become better stewards of American citizens' personal data.
The Biden administration's EO on digital privacy represents a step in the right direction, but it falls far short of the cypherpunk vision of enhanced privacy. As with much of conventional cyber wisdom, Biden administration chief executives are short-sightedly focused on defending against external threats, aggressively enforcing fine-grained policy controls over the data we all choose to share. It completely misses the point in that it makes for a better attack if applied in a specific way.
John Ackerley, Virtru Co-Founder and CEO