Following a series of high-profile data leaks and hacks, many concerned Americans are now demanding stronger data privacy regulations. Some are even suggesting the European Union’s General Data Protection Regulation is a model worth adopting, including, surprisingly, Michael Chertoff, George W. Bush’s second Department of Homeland Security secretary.
That’s exactly the point he makes in his new book, “Exploding Data“. He expanded on those ideas—and how his national-security experience has left him willing to trust the government with “metadata” about the who and when of our communication but not the keys to decrypt its contents —in an interview Wednesday.
A pitch for regulation
The GDPR’s extensive list of rights goes far beyond U.S. law—yet because it’s often easier for companies to ship one version of an app, U.S. citizens have benefited from its provisions requiring user permissions and controls.
Chertoff called the roughly 54,000-word GDPR “somewhat over-bureaucratic and complicated” but would enshrine the GDPR’s core logic in U.S. law.
“The principle that people ought to have some right to control their data is a principle we need to adopt ourselves,” he said.
Specifically, as he writes in Exploding Data, Chertoff would require companies to get your buy-in for “extrinsic” uses of data, those beyond making the app you’re using work better. Others—such as third-party marketing—would become a permission-only enterprise.
Chertoff would even import a limited version of the EU’s “right to be forgotten” rule. But instead of letting citizens demand that search engines like Google (GOOG, GOOGL) suppress “inadequate” or “irrelevant” links in searches for their names, he would limit that to false and defamatory material.
Chertoff also voiced support for giving customers a choice not required by GDPR rules: “get the service by paying for it as opposed to getting it by giving your data over.”
First, though, Congress will have to work together.
“I’m not holding my breath that that’s going to happen tomorrow,” he said. “We don’t have a Congress that’s particularly adept at working across party lines.”
Different rules for the government
Another key argument Chertoff (today, executive chairman of the Chertoff Group, a Washington-based consultancy) makes in Exploding Data may not have so many of you nodding in agreement.
That’s his contention that we should let the government keep more “metadata” about our communications as long as it can’t look at the information without judicial permission in instances of national-security and cybersecurity purposes.
Chertoff called that “a much more finely-grained approach to how we balance surveillance and security” and pointed to lessons learned after the 9/11 terrorist attacks.
He allowed that his archive of metadata could be kept by private companies as long as they only hold it for a set duration: “I still think that’s something of significant value.”
That picks up on a key provision in the USA Freedom Act. That 2015 bill, which curtailed the National Security Agency’s bulk surveillance, requires telecom carriers to keep calling records that the NSA had previously harvested.
Counting on Big Telecom to stand up to the Feds on your behalf may seem like wishful wonkery, but Chertoff said he hopes to see the courts or Congress stiffen those companies’ spines.
He pointed to the recent Supreme Court ruling in Carpenter v. U.S. that police need a search warrant to get historical cell-site location information. That punched a hole in the “third-party doctrine,” the idea that if you give data to an outside firm you can’t expect it to stay private.
Chertoff noted a dissenting opinion from Justice Neil Gorsuch arguing that the entire third-party doctrine lacked sense, and that citizens should instead retain ownership of data they provide to companies. “Usually, changes begin with dissents, and ultimately they get incorporated into majority opinions,” he said.
Encryption is a good thing
In the interview, Chertoff reiterated his earlier support for another limit on government curiosity: strong encryption without “special access” for law enforcement.
“We should not undermine or restrict encryption because the value of the population as a whole in having secure encryption outweighs the fact that in any individual case it would be nice to be able to decrypt the conversation,” he said.
And he’s not persuaded by recent proposals to make this special access more secure—perhaps by storing these extra keys in separate parts.
“If you’re doing it at scale, not just once in a blue moon, the problem is going to be transmitting the fragments over time and space,” Chertoff said. “It may very well be that some genius engineer will come up with a perfect way to split the key and have it be invulnerable but available, but I have not seen that yet.”
Digital daily habits
In his own life, Chertoff said his own skepticism has led him to opt out of many common digital habits. He has an Amazon (AMZN) Echo, for instance, but “it’s in a box, unplugged.”
He would hold gadget companies responsible for insecure connected gadgets: “I think there ought to be more responsibility, including potential liability, for failure to put in basic requirements of security.”
Some networked pastimes are completely off-limits, though. “I don’t do social media,” he said before complaining of widespread fake accounts and wondering “to what extent do you allow anonymity to continue?”
And you won’t hear him complaining about the wireless at a conference: “I don’t, for example, use public WiFi or hotel WiFi.”
But Chertoff also said he prefers to make larger payments via check: “If I can do it on paper, I’m always, you know, happier to do that.” That’s the opposite of most security advice, considering how many more hands touch a paper check versus an electronic payment and the resulting high reported rates of check fraud.
But we know paper, while we’re still learning our way around bits. And Chertoff’s observation of the encryption debate applies to more than just that: “People tend to overestimate their ability to protect things.”
More from Rob: