Forthcoming in IEEE Security & Privacy
Government Access to Private-Sector Data
Fred H. Cate
overnments around the world are demonstrating a growing appetite for personal information held by the privatesector. Public-sector interest in private-sector data is nothing new. Governments have long sought access to privateenterprise data to administer social service programs,
tax schemes, business and professional licenses, voterregistration, vital records about major lifecycle events, and public infrastructure. They have also sought access totargeted data for law enforcement and national security purposes.But the new voraciousness for private-sector data is reflected in expanding demands for wholesale access toinformation, and not just about individuals who warrant suspicion but about everyone. Furthermore, this demand issupported by the extraordinary growth of digital technologies that can record, store, and share electronicallyindividuals’ records, communications, movements, finances, relationships, and even tastes.
A Growing Demand
We’ve recently seen an explosion in the demand for private-sector data:
India, Saudi Arabia, United Arab Emirates, Lebanon, and Indonesia have all demanded real-time accessto Research in Motion’s Blackberry Enterprise and Messenger services, so they can have access tootherwise encrypted communications.
The US Treasury has announced its intention to move beyond the 1.3 million
suspicious activity reportsand 14 million reports on international money transfers of more than US$10,000 that it currentlyreceives each year. Instead, it will require disclosure of all 750 million annual money transfers into orout of the US.
The US Transportation Security Administration has implemented its Secure Flight
and AutomatedTargeting Systems
programs, which require that all airlines—irrespective of their location—mustcollect and report personal information about passengers on flights into or out of the US.
Governments in Europe and elsewhere have created mandatory data-retention laws, giving governmentsaccess to private-sector data even after the information would normally have been discarded.
The US Federal Bureau of Investigation is seeking an amendment to the Communications Assistance toLaw Enforcement Act that would require social networking companies and peer-to-peer providers, suchas Facebook, Twitter, and Skype, to give law enforcement access to private information. Theamendment would also require firms that offer encrypted communications to decrypt the text for lawenforcement.
Google has begun disclosing the number of demands for user data that it receives from governmentagencies. Brazil and the US top the list, which altogether includes 13,700 requests during the first sixmonths of 2010 (see www.google.com/transparencyreport/governmentrequests/).
The US, UK, and other countries have asserted the legal right to seize laptops and other computingdevices at the border, copy their contents, and require access to encryption keys without articulating anysuspicion or providing access to counsel.
This is just a sampling of the recent expansion in the access that governments want. Each month brings newdemands as governments seek to expand their reach and individual data become more exposed to governmentscrutiny.