Reporting on data security and privacy: Tips from Dipayan Ghosh

 
A collection of locks
(Pixabay)
By

In early 2018, journalists worldwide scrambled to understand the reach and implications of the Cambridge Analytica scandal involving Facebook data. The British political consulting firm had acquired personal information on Facebook users from a researcher who the company contends was only authorized to use the data for academic purposes.

In recent years, journalists across many beats — including banking, retail and education — have had to cover data security and privacy breaches. In 2013, for example, hackers stole tens of millions of credit card numbers from Target in what Bloomberg News called “the biggest retail hack in U.S. history.” In late 2017, Uber users learned hackers stole the personal data of 57 million of the ride-sharing service’s customers and drivers. Meanwhile, newsrooms across the globe are reporting on the potential impacts of the General Data Protection Regulation (GDPR), a European Union law introducing tougher rules on data privacy that takes effect May 25, 2018.

To help journalists understand and ask better questions about digital security and privacy, Journalist’s Resource interviewed privacy engineer Dipayan Ghosh. Ghosh, a former privacy and public policy advisor at Facebook who had also served as a technology policy advisor for the Obama Administration, shared some tips on how he thinks journalists can improve their work.

Ghosh spent the spring 2018 semester as a fellow at Harvard’s Shorenstein Center on Media, Politics and Public Policy, of which Journalist’s Resource is a project.

Here’s what he had to say. For brevity and clarity, we summarized some of his statements.

When we talk about breaches involving banking data, Target customer data and the data to which Cambridge Analytica gained access, are we talking about the same thing?

They are similar in that they all involve a third party who illegitimately gained access to data, Ghosh said. The Cambridge Analytica scandal did not involve the sort of malicious security hacking reportedly involved in other recent incidents, however. “What happened in that situation is that a researcher legitimately gained access to the data and then illegitimately sold it to Cambridge Analytica,” he said. “Hacking is more about breaking into a security system.”

What are journalists missing in their reporting on data breaches?

Considering that what’s known about a data breach can change as an investigation progresses, Ghosh recommends reporters be transparent about their sources of information. They should also help the public understand that what company leaders and other authorities report at the start of an investigation probably will change – and could change dramatically – as they learn more about what happened.

Data breaches “are incidents that throw a whirlwind at the company that has been breached and they are challenged to respond as quickly as possible,” he explained.

It would be helpful, Ghosh said, if journalists did a better job explaining the challenges that data breach notification laws present for everyone involved. Laws governing how companies handle breaches vary by state. Companies doing business in multiple states have to abide by a “patchwork” of laws.

“Whenever something happens like this, it’s important for journalists to try to understand which laws the company has to comply with and to say that in the story,” he said. “If it’s Target and Target has customers all over the country, in all 50 states — including those 48 that have data breach notification laws — the company needs to comply with all 48 laws.”

(Editor’s Note: The National Conference of State Legislatures provides a state-by-state list of security breach notification laws. As of December 2017, only Alabama and South Dakota did not have them.)

Why is this important?

“I think it’s important because it’s always important for people to know what the law is — especially when they’re consuming information about what a company is doing or an entity is doing in response to a law. It’s important context, I think.”

“Reporters might say: ‘Target chose not to inform consumers [about a breach] for 29 days or Facebook chose not to for 59 days.’ It might be the case they don’t have to. The law may say [they are required to do it] before 30 days or 60 days. Not to say there is not a moral case for notifying early, but sometimes … it’s hard to know what should be done and what’s feasible.”

What else do reporters need to know about these laws?

“There are these 48 laws and there is a huge effort to try to unify all of them into a federal approach so companies can comply with one. There has been a 15 year-long debate on Capitol Hill … and people are just never making progress on it.” Several proposals have come forward within the past 10 years, one of which was presented by the Obama administration, he said.

Any other issues journalists should be monitoring?

“Another big issue right now is around the idea of ‘reasonable security.’ Data breach laws say if you get breached, you should do this [take certain action]. But there is no unified approach in the law that stipulates that companies, in general, that hold individual data need to establish security practices that protect that data.”

Ghosh explained some federal laws exist to address privacy and data security in specific industries – banking and health care, for example. There is a national debate about the need for legislation addressing all industries and the question of whether companies should take specific steps or be allowed to enact what they consider “reasonable” security measures.

“The idea is that ‘reasonable’ allows the company to innovate and pursue security it feels is most meaningful or appropriate,” Ghosh said. “But if a judge feels they haven’t been ‘reasonable,’ they could be on the hook.”

How else can journalists improve their work?

Some journalists use certain terms interchangeably when they shouldn’t – for example, “hack” and “breach,” which can mean different things to different audiences. The same is true for “misinformation” and “disinformation,” Ghosh said.

“It sounds like the same word … In the research community, they are well defined. But I don’t think there’s a clear understanding of what they should mean more broadly for the public.”

What about privacy?

Privacy “is a very amorphous concept … But it deserves an acknowledgment that it means something different to everybody. There are so many contexts we can talk about privacy in … whether using social media or sharing data with certain people or whether we like doing certain things in public or private or how we browse the internet or how we share digital content about our kids. There are so many different threads here. And there is a huge spectrum in each of these threads as to how much or little [privacy] different people want to give up.”

“Using social media services, I have friends who are privacy hawks and won’t use Gmail and Facebook and keep their digital footprint to a few clicks a day somehow. Other friends are on every single social media service and uploading to Facebook and Snapchat and Instagram all day.”

What privacy laws should we know about?

“In the U.S., there are federal laws that ensure privacy for particularly sensitive data,” Ghosh said, referring to data related to children under age 13, private citizens’ health care information and students’ education records.

“There are narrow sectoral laws for particularly sensitive cases of data collection and processing. But what we lack completely here is a universal individual right to privacy. Europe has it. What we also lack is a baseline privacy law that says that any data about us, no matter who holds it, is subject to certain protections.”

(Editor’s Note: Read about the Children’s Online Privacy Protection Act (COPPA), which lets parents control the information websites can collect from children, and the Health Insurance Portability and Accountability Act (HIPAA), which limits who can look at and receive someone’s health information. The Family Educational Rights and Privacy Act (FERPA) protects the records of students, including adults enrolled at a college or university.)

Is there legislation we should be tracking?

Proposals to address privacy have included the Consumer Privacy Bill of Rights, unveiled by the Obama administration in 2012, the Data Broker Accountability and Transparency Act of 2017 and the Customer Online Notification for Stopping Edge-provider Network Transgressions (CONSENT) Act, introduced in 2018.

“There is a rich legislative history here, but they [the bills] don’t make it out of committee because they lack bipartisan support.”

“One thing I think reporters should keep in mind: A lot of people are talking about the GDPR — the General Data Protection Regulation passed by the European Union, a stringent and sweeping set of protections around data … Everybody that holds data associated with European nationals is subject to it.”

What do we need to know about GDPR?

“Journalists often say the GDPR is going to change the game … The GDPR is incredibly, incredibly powerful in both statement and law and it is going to change a lot of things. But some journalists and reporters will go so far as to say that the companies are going to comply. Many won’t … There is a power dynamic here.”

Ghosh said that if an influential company is threatened with enforcement action, then it might threaten to stop doing business. If that happens, enforcement agencies are going to change their behavior. “I think these are nuances that get missed sometimes,” he said.

Which media organizations do a good job covering security?

“The Wall Street Journal’s coverage of security is pretty balanced and it’s basically my go-to among the mainstream news outlets. Another one I’d point to is Recode.”

What about coverage of privacy?

He said the New York Times, Washington Post, ProPublica and Wired Magazine are doing good work on privacy.

 

Want to know more about data security and privacy? Journalist’s Resource has created a tip sheet on digital security for journalists and gathered academic research on privacy in the digital age. Also, check out this interview with security expert Bruce Schneier, who offers reporters guidance in covering cyberattacks as they relate to elections.

If you want to know more about Ghosh, here are some other interviews he has given:

  • In April 2018, Lisa Mullins, a host at National Public Radio’s Boston affiliate WBUR, interviewed him about how data brokers scrape and sell online data.
  • In a Q&A with The Verge in January 2018, Ghosh talks about how he thinks Facebook should fix itself.
  • On a February 2018 episode of the podcast Recode Decode, he discusses a paper he co-authored, titled “Digital Deceit: The Technologies Behind Precision Propaganda on the Internet.”

Here’s a sampling of articles he wrote or co-authored in 2018:

Privacy protection strategies on Facebook

Do data breach disclosure laws reduce identity theft?

Last updated: May 24, 2018

 

We welcome feedback. Please contact us here.