Following a series of high-profile data leaks and hacks, many concerned Americans are now demanding stronger data privacy regulations. Some are even suggesting the European Union’s General Data Protection Regulation is a model worth adopting, including, surprisingly, Michael Chertoff, George W. Bush’s second Department of Homeland Security secretary.
That’s exactly the point he makes in his new book, “Exploding Data“. He expanded on those ideas—and how his national-security experience has left him willing to trust the government with “metadata” about the who and when of our communication but not the keys to decrypt its contents —in an interview Wednesday.
A pitch for regulation
TheGDPR’s extensive list of rights goes far beyond U.S. law—yet because it’s often easier for companies to ship one version of an app, U.S. citizens havebenefited from its provisions requiring user permissions and controls.
Chertoff called theroughly 54,000-word GDPR “somewhat over-bureaucratic and complicated” but would enshrine the GDPR’s core logic in U.S. law.
“The principle that people ought to have some right to control their data is a principle we need to adopt ourselves,” he said.
Specifically, as he writes in Exploding Data, Chertoff would require companies to get your buy-in for “extrinsic” uses of data, those beyond making the app you’re using work better. Others—such as third-party marketing—would become a permission-only enterprise.
Chertoff would even import a limited version ofthe EU’s “right to be forgotten” rule. But instead of letting citizens demand that search engines like Google (GOOG,GOOGL) suppress “inadequate” or “irrelevant” links in searches for their names, he would limit that to false and defamatory material.
Chertoff also voiced support for giving customers a choice not required by GDPR rules: “get the service by paying for it as opposed to getting it by giving your data over.”
First, though, Congress will have to work together.
“I’m not holding my breath that that’s going to happen tomorrow,” he said. “We don’t have a Congress that’s particularly adept at working across party lines.”
Different rules for the government
Another key argument Chertoff (today, executive chairman of the Chertoff Group, a Washington-based consultancy) makes in Exploding Data may not have so many of you nodding in agreement.
That’s his contention that we should let the government keep more “metadata” about our communications as long as it can’t look at the information without judicial permission in instances of national-security and cybersecurity purposes.
Chertoff called that “a much more finely-grained approach to how we balance surveillance and security” and pointed to lessons learned after the 9/11 terrorist attacks.
He allowed that his archive of metadata could be kept by private companies as long as they only hold it for a set duration: “I still think that’s something of significant value.”
Counting on Big Telecom to stand up to the Feds on your behalf may seem like wishful wonkery, but Chertoff said he hopes to see the courts or Congress stiffen those companies’ spines.
Chertoff noted a dissenting opinion from Justice Neil Gorsuch arguing that the entire third-party doctrine lacked sense, and that citizens should instead retain ownership of data they provide to companies. “Usually, changes begin with dissents, and ultimately they get incorporated into majority opinions,” he said.
Encryption is a good thing
In the interview, Chertoff reiterated his earlier support for another limit on government curiosity: strong encryption without“special access” for law enforcement.
“We should not undermine or restrict encryption because the value of the population as a whole in having secure encryption outweighs the fact that in any individual case it would be nice to be able to decrypt the conversation,” he said.
“If you’re doing it at scale, not just once in a blue moon, the problem is going to be transmitting the fragments over time and space,” Chertoff said. “It may very well be that some genius engineer will come up with a perfect way to split the key and have it be invulnerable but available, but I have not seen that yet.”
Digital daily habits
In his own life, Chertoff said his own skepticism has led him to opt out of many common digital habits. He has an Amazon (AMZN) Echo, for instance, but “it’s in a box, unplugged.”
He would hold gadget companies responsible for insecure connected gadgets: “I think there ought to be more responsibility, including potential liability, for failure to put in basic requirements of security.”
Some networked pastimes are completely off-limits, though. “I don’t do social media,” he said before complaining of widespread fake accounts and wondering “to what extent do you allow anonymity to continue?”
And you won’t hear him complaining about the wireless at a conference: “I don’t, for example, use public WiFi or hotel WiFi.”
But we know paper, while we’re still learning our way around bits. And Chertoff’s observation of the encryption debate applies to more than just that: “People tend to overestimate their ability to protect things.”