Public-Private Partnerships: Sharing Data, Compromising Privacy

Our privacy is up for sale to anyone—even government and law enforcement agencies

There are things that the government is allowed to do that private entities can’t. This includes activities such as arresting people and throwing them in jail, executing search warrants and engaging in electronic surveillance and wiretaps without the express or implied consent of at least one of the parties. At the same time, there are things that the private sector may be permitted to do that either may be prohibited to the government or which the government eschews because it is politically unseemly or untenable. While Facebook can collect and use information about your political affiliation, preferences and the like, the government doing so would be loudly decried as undemocratic and violative of citizen’s rights of free association, free expression and other rights. Similarly, the private sector can collect information about a citizen’s purchasing history, credit information, employment information and other data which, if collected by the government on innocent individuals not suspected of any crime, would cause a public outcry.

However, in the era of big data, we are seeing an increase in the government access to and use of data collected by the private sector. For example, U.S.-based Securus Technology collected the location data of cell phone users from another company called LocationSmart in Carlsbad, California. (Oh, and because Securus didn’t … well, secure us, the credentials of those who were authorized to access this database were not secured and the location data was similarly leaked to anyone who could access the database.) While federal law restricts telcos from sharing customer data with law enforcement officials, it permits (sometimes with consent buried in user agreements) sharing some of that data with third parties, who then are allowed to share the data with whomever they want.

Location data also can be collected by third-party apps—entities such as Facebook and Google or any website itself. So LocationSmart shares with Securus, and Securus shares the data with law enforcement officials, and voilà! Cops can pull up both near-real-time location data and historical location data on anyone in the United States with no warrant, no probable cause or no paper trail. No muss, no fuss and no notice to the data subject. North of the border in Canada, the big three telcos— Rogers, Telus and Bell—share customers’ location data with a company called EnStream, which may then share that data with the Mounties.

In other reports, private companies such as Forth Worth-based Digital Recognition Network and its sister company Vigilant Solutions use stationary and mobile cameras to capture the location of every vehicle through automated license plate readers (ALPRs). While government agencies may be precluded from collecting and storing such data on innocent individuals (and from conducting data analytics on such data), these restrictions do not necessarily apply to the private sector. These technologies have the ability to collect, store and process the location of every car (and presumably their owners, drivers or occupants) anywhere in America. The data is then sold to repo men to look for both stolen cars and those late on payments, as well as to law enforcement agencies for whatever use they may want.

If the police want to know if someone is home at a particular location, in many jurisdictions they can simply access the local public utility (gas company, electric company, etc.) and check to see if the lights are on in the home. In many cases, the police have agreements with utilities (including those owned by taxpayers) to share that data.

Social media facial recognition software can be used by law enforcement to match the identity of suspects with activities both online and offline. Credit reporting agencies databases can be used to track individuals.

The problem is not law enforcement access to these databases. It’s law enforcement access to these databases without a warrant, without probable cause and without any limitation on what they can do with them. In effect, we are turning the private sector into agents of the police—collecting, storing, analyzing and reporting information that we prohibit to the police. In the United States we may not care if Waze knows where we are, but we may very much care if police are using Waze to conduct surveillance of us. We may not care if security cameras at our local church, synagogue or mosque capture our image as we walk in to pray, but might object to the government using facial recognition software to keep tabs on our religious preferences.

We know that data leaks. It leaks (deliberately or inadvertently) from the private sector to the government and vice versa. It leaks from secure database to insecure ones and, ultimately, to hackers or foreign governments. While information-sharing is generally thought to be a good idea—and as part of the public-private partnership, it must be done with appropriate safeguards. You know, the ones the Founders envisioned: court-ordered warrants.

There’s an old joke that the difference between capitalism and authoritarianism is that in an authoritarian government the government represses rights, suppresses liberty and makes life miserable for the citizenry. But in a capitalist country, those things are left to the private sector. With public-private partnerships, we may no longer make such a distinction.

Mark Rasch

Avatar photo

Mark Rasch

Mark Rasch is a lawyer and computer security and privacy expert in Bethesda, Maryland. where he helps develop strategy and messaging for the Information Security team. Rasch’s career spans more than 35 years of corporate and government cybersecurity, computer privacy, regulatory compliance, computer forensics and incident response. He is trained as a lawyer and was the Chief Security Evangelist for Verizon Enterprise Solutions (VES). He is recognized author of numerous security- and privacy-related articles. Prior to joining Verizon, he taught courses in cybersecurity, law, policy and technology at various colleges and Universities including the University of Maryland, George Mason University, Georgetown University, and the American University School of law and was active with the American Bar Association’s Privacy and Cybersecurity Committees and the Computers, Freedom and Privacy Conference. Rasch had worked as cyberlaw editor for, as Chief Privacy Officer for SAIC, and as Director or Managing Director at various information security consulting companies, including CSC, FTI Consulting, Solutionary, Predictive Systems, and Global Integrity Corp. Earlier in his career, Rasch was with the U.S. Department of Justice where he led the department’s efforts to investigate and prosecute cyber and high-technology crime, starting the computer crime unit within the Criminal Division’s Fraud Section, efforts which eventually led to the creation of the Computer Crime and Intellectual Property Section of the Criminal Division. He was responsible for various high-profile computer crime prosecutions, including Kevin Mitnick, Kevin Poulsen and Robert Tappan Morris. Prior to joining Verizon, Mark was a frequent commentator in the media on issues related to information security, appearing on BBC, CBC, Fox News, CNN, NBC News, ABC News, the New York Times, the Wall Street Journal and many other outlets.

mark has 203 posts and counting.See all posts by mark