Privacy Advocates Expect FTC’s Chief Technologist to Accelerate Data Encryption, Transparency Work

Privacy advocates have pushed the FTC to be more vigorous in its data privacy and security pursuits -- more explicit with its privacy best practices (CD Dec 17 p8), more aggressive in challenging certain tech mergers, more assertive with data brokers (CD Dec 20 p6) and more active in its safe harbor enforcement. But advocates were unanimous in their praise, and surprise, for the FTC’s decision to hire Sweeney as its chief technologist, in interviews with us. She’s known as having an “aggressive, out-there research agenda,” said Center for Democracy and Technology (CDT) Chief Technologist Joe Hall, and for promoting the myriad ways encrypted data and sensitive data can be re-identified.

Sweeney essentially “created the entire field” of data re-identification, said Deborah Peel, chairwoman of Patient Privacy Rights (PPR), which advocates for increased consumer access to healthcare data. “Absolutely a warrior for privacy.” Indeed, panelists at the NYU White House event deferred to Sweeney on re-identification even though she wasn’t presenting. “Even today there are just tens of thousands of Social Security Numbers available on the web, and there’s just no shortage of ways” to get access to them, Sweeney said from the audience.

The FTC’s agenda in the coming months dovetails well with Sweeney’s expertise -- data anonymity, healthcare data and big data, officials said. FTC Chairwoman Edith Ramirez has said the commission will issue a report on in-store mobile tracking that will benefit from her expertise, Hall said. A May 7 FTC seminar will focus on consumer-generated and controlled health data, an area where Sweeney gained attention with TheDataMap, which visualizes all the ways in which health data are shared (http://1.usa.gov/PNiIKL). And a Sept. 15 all-day workshop on big data will focus on how companies are using data to categorize customers and whether they are protecting personally identifiable information (CD April 14 p13).

Both Ramirez and FTC Commissioner Julie Brill have said Sweeney will be integral to these efforts. Ramirez even hinted at a possible report on data anonymity (CD March 7 p13, March 10 p9). “We don’t have her for very long,” said Brill of Sweeney’s brief tenure, which started in January and runs through September. So the FTC plans to make use of her prowess while it can, Brill said. Privacy advocates and researchers told us they hoped to see Sweeney use her influence to represent the FTC at high-profile tech policy events, encourage the FTC to take a solutions-oriented approach to its research, and propose policy and technology design ideas through her blog -- Tech@FTC (http://1.usa.gov/1g3z8b2).

"Before I got here, to me the FTC was like this black box that I really didn’t think did anything,” Sweeney told us, laughing, in a recent interview. Several months into her tenure, that has changed, she said: “If you make data sharing more transparent, then the FTC sits in a great position to be able to use its authority to figure out and spot these problematic errors where individuals may be being harmed.” Currently, the FTC’s authority arises from its investigatory, research and enforcement capabilities, Sweeney said. But Sweeney could envision a future in which the FTC also builds “the technology that would help solve this problem or add transparency here or help us with our enforcement activity."

Sweeney has built this type of technology. While at Carnegie Mellon University in 2001, she founded the Data Privacy Lab -- housed at Harvard since 2011 -- to research methods of confidentially sharing data. In response to ongoing FTC reports of exploding identity theft -- the most common complaint reported to the agency for 14 years running -- Sweeney and the lab helped create Identity Angel in 2006. The software crawls the Web for publicly available information, and tries to link that information to sensitive information that could be used to acquire a fraudulent credit card, which requires a name, Social Security number (SSN), home address and date of birth, according to Identity Angel’s page on Sweeney’s personal website (http://bit.ly/1j0mPKa). It can alert individuals to the issue and have the information removed, said Sweeney’s website.

"I think that’s what [Sweeney] can introduce to the FTC,” said Ontario Information and Privacy Commissioner Ann Cavoukian, the only person to hold that role in Canada. Data protection research and guidelines are valuable, but “I think it’s essential to offer solutions,” Cavoukian said. An early proponent of the phrase “privacy by design,” Cavoukian has spent nearly two decades pushing both the U.S. (CD March 5 p16) and Canadian governments to not just promote privacy in products, but to offer specific methods to achieve that privacy. “The FTC has very good policies and procedures,” she said. “But you need all of that translated into, ‘What can we do right now on the ground?'”

"For the most part, very few areas of enforcement in the government actually build technologies to help them do their job better,” Sweeney told us. “In law enforcement, you do get digital forensics a little bit, but those technologies really do resonate with the kind of thing that a place like the FTC or other places may find useful.”

Another software Sweeney helped develop, SSNwatch, identifies suspicious SSN use. It cross references certain details -- the issuing state, date issued, estimated age of the recipient -- with information provided in resumes or job applications, searching for inconsistencies, according to SSNwatch’s page on Sweeney’s website (http://bit.ly/1nbPYsJ). She also worked on CameraWatch, which mined thousands of URLs looking for publicly available webcams (http://bit.ly/QdrC42). Both might apply directly to recent FTC enforcement actions. In September, the FTC settled a complaint with TRENDnet over allegations that its lax security standards allowed hackers to post online the feed to more than 700 private cameras (CD Sept 5 p13). And the commission’s recent settlement with movie ticket seller Fandango and credit score monitor Credit Karma over allegedly failing to properly secure payment information (CD March 31 p8) is just the most recent of several FTC settlements to cite exposed SSNs as a reason for action.

"It may turn out in the future that these [types of software] are the kinds of things the FTC may also do,” Sweeney said. Not necessarily Identity Angel, SSNwatch or CameraWatch, she said, “but the idea of thinking, ‘well, we could build the technology that would help us do “X,” or we could build the technology that would help solve this problem or add transparency here or help us with our enforcement activity.” Cavoukian hopes Sweeney spreads this mindset at the FTC. Sweeney “doesn’t do research just for the sake of academic pursuit,” Cavoukian said. She wants to make her research “provable,” said Cavoukian. “It’s got to work on the ground."

Sweeney remains coy about specific projects, such as a data anonymization best practices report -- “that’s how the black box works,” she said, laughing. But in her three months with the FTC, she has publicly talked data flow transparency through her Tech@FTC blog and as a panelist at the March 3 White House big data workshop at the Massachusetts Institute of Technology. “Having her at these things adds enormous value,” Cavoukian said.

On the blog, Sweeney has published footnoted posts topping 3,000 words. There was a Feb. 12 post about tracking MAC addresses on smartphones (http://1.usa.gov/1dkVaFz), a March 6 missive on mobile app design (http://1.usa.gov/1g3c8ZQ) and, most recently, an April 3 dispatch on data sharing transparency (http://1.usa.gov/1il1Pia). “The way I've been doing these blogs is to take a problem and then sort of say, ‘I don’t know the answer, but here are three approaches,’ now what do you guys think?” said Sweeney. “If all she does is those blog posts, that’s OK with me,” said CDT’s Hall. “Those blog posts are very tangible.” They allow her -- and the FTC -- to explore hypothetical solutions “without people like me bombarding them with requests for meetings,” Hall said.

The data sharing transparency post cut across two areas where some wish the FTC would play a bigger role -- health data and data broker oversight. “The biggest problem is not the extent of [data] sharing, but individuals and authorities having insufficient knowledge of the sharing to be able to assess potential harms,” Sweeney wrote. She pointed to TheDataMap in the post, the interactive visualization of data flows she created in 2010, which shows all the spiraling ways a patient’s health data are shared. Since its inception, researchers have added 27 new categories to TheDataMap and thousands of new companies that exchange health data, according to her website.

"There are hundreds of edges” on the map, Sweeney told us. “But only about half of them are covered” by federal privacy laws, namely the Health Insurance Portability and Accountability Act. And many of the connections on the map are secret or quite hidden, she said. Privacy advocates have urged Congress to grant the FTC sole authority over health data security. They argue the commission’s tech savvy makes it better suited than the Department of Health and Human Services to monitor the privacy of these edges, which are proliferating because of the exploding telehealth and mobile health space. “I think the FTC stands in a perfect position to really help in this regard,” Sweeney told us.

So does Sweeney, privacy advocates said. “She knows the technology inside and out,” said World Privacy Forum Executive Director Pam Dixon. WPF published in 2012 an interactive map displaying all the data flows of California’s health data (http://bit.ly/1ndXC5N). Sweeney is “one of the people who understands our work to pin down data flows,” Dixon said. PPR’s Peel, a physician and psychoanalyst, said health policy is too often “made by people who don’t know anything about medicine.” She thinks Sweeney can pass on that knowledge at the FTC. PPR partially funds TheDataMap and Peel said she has worked with Sweeney in “figuring out how to make all this accessible to the public.” That’s a goal with the blog, Sweeney told us. “The more hidden [these data flows are], the harder it is for an individual to know you're being harmed,” she said.

Sweeney’s April 3 post segues into four proposals to give consumers access to, and knowledge of, data shared about them. Two are based on Sweeney’s data map concept. Perhaps companies should “augment privacy policies to include a data map that shows flows of personal information to and from the company,” she wrote. Or maybe software could produce individual data maps, she wrote. “Imagine having technology that would produce a personal datamap for a person, showing the actual flows of the person’s information across organizations over time,” she wrote. Alternately, companies could be required to provide, upon request, a copy of the personal information it has on any consumer, Sweeney wrote.

The other suggestion is a “public registry,” a variation of an option privacy advocates have lobbied for and Commissioner Brill has promoted with her “Reclaim Your Name” initiative (CD Oct 24 p14). Sweeney described the idea: “Each time a company sells or shares a substantial amount of sensitive personal data, information about the data sharing arrangement appears in a publicly available log maintained at the company’s website.” This approach “provides information that immediately helps authorities, policy makers and researchers identify possible risks of harms,” Sweeney wrote. And if a company experiences a data breach, consumers could check to see what information was exposed, she said.

Dixon and Brill have suggested the public registry should be maintained not at each company’s website, but in a centralized database controlled either by an industry coalition or a government agency. At a Senate Commerce Committee hearing in December, Dixon said consumers should be able to go to this central portal to opt out of any data collection (http://bit.ly/1jLqq2b). “I'd really love to see Latanya work on how would a national data broker opt-out mechanism work,” Dixon said. “Consumers could go to some place mediated by the FTC and say, ‘OK, I want to have all my health and financial info off of data broker lists.'” Brill has touted a similar mechanism, but controlled by industry partners, in numerous speeches (http://1.usa.gov/1l81d5F). Many of those industry partners have balked at the proposal, calling it technologically infeasible and lacking in specifics. “It’s a complex task,” Dixon said. “But I think Latanya’s up to the challenge.”