With less than a month to November 3rd, all eyes are on the United States and its upcoming election. As Americans weigh in on Trump against his opponent Joe Biden over a number of issues, what of privacy? The administration can have a significant impact in how our data can be collected, used or disclosed by companies and the state. How the president views privacy goes a long way towards the likelihood, or repeal, of data protection safeguards. Here’s a look at how the Trump Administration has had an effect on privacy over the past four years.
1. The Cambridge Analytica Scandal
While technically occurring before Trump took office, it would be negligent not to include the Cambridge Analytica scandal on this list. The story that swept headlines in 2018, as Facebook’s largest data leak to date, and worse, one with potential political ramifications.
According to Wired, whistleblower Christopher Wylie revealed that in 2014, Cambridge Analytica acquired data from tens of millions of private Facebook profiles. Reporting from the New York Times revealed this data found its way into the hands of the Trump campaign to build voter profiles. Cambridge Analytica had a number of ties to Trump: Steve Bannon, Trump’s now-former aid, was a company board member. The Guardian revealed John Bolton, who later became national security advisor, used the data to target YouTube videos.
Did Cambridge Analytica alter the result of the election? Data professionals are still undecided. In “Effects of Cambridge Analytica’s Facebook Ads on the 2016 Presidential Election”, Rahul Rathi with Towards Data Science shows the limits of the ads’ success. Channel 4 however, recently uncovered the Trump Campaign’s use of Facebook data in 2016 to deliberately disenfranchise select voting groups. This would have made a significant impact on voter turnout.
One thing is certain: the Cambridge Analytica scandal is now burned into the public consciousness. Suddenly, Facebook data could potentially influence elections. Can personal information collected online be manipulated to change political viewpoints? For Facebook, Cambridge Analytica represents a blow to trust the company has yet to recover from. CEO Mark Zuckerberg faced a Congress House hearing over data misuse. An investigation by the FTC resulted in a fine of 5 billion: the largest fine the Federal Trade Commission (FTC) has leveraged against a technology company to date.
As Issie Lapowsky for Wired writes, “Despite the theories and suppositions that had been floating around about how data could be misused, for a lot of people, it took Trump’s election, Cambridge Analytica’s loose ties to it, and Facebook’s role in it to see that this squishy, intangible thing called privacy has real-world consequences.”
2. Overturning the FCC’s Broadband Privacy Rules
In April 2017, the Trump Administration repealed service provider internet privacy protections. Per Brian Fun with the Washington Post, the move also prohibited the FCC from passing similar regulations In the future.
The protections were established in 2015 by the Federal Communications Commission. They placed limits on what internet service providers could do with information over their networks. For example, providers like Comcast and Verizon would need user permission before sharing personal information like web browser history. The protections were intended to limit the potential sale of personal data by service providers. Not that rules didn’t also have critics. According to Business Insider, many were concerned the rules created an unfair playing field. After all, while the FCC’s rules would apply to internet service providers, other big tech companies, including Google and Facebook would be exempt.
How much this move directly affected United States residents is still up to question. The rules that were overturned had yet to be enforced, and would not be until December 2017. Per critics, the rules would also have had no effect on data sharing habits of many other large tech companies. Still, there’s something inherently creepy about a web provider selling our browser histories to parties unknown without permission. If you haven’t considered it yet, now’s a great time to look into VPNs.
3. The Repeal of Net Neutrality
In December of 2017, the Trump Administration moved on to a different target. The Federal Communications Commission (FCC) repealed the 2015 Open Internet Order. Prior to the Administration, this Order was intended to enforce net neutrality in America.
In What is Net Neutrality? Dave Albaugh explains that net neutrality in the U.S. depends on an ISP’s classification through the Communications Act of 1934. Technology companies classified under Title I are ruled by General Provisions. Companies classified under Title II are deemed Common Carriers, subject to stricter requirements. The 2015 Open Internet Order enforced ISPs under the definition of Title II, forcing ISPS to keep the information playing field even.
Without a classification under Title II, net neutrality is in jeopardy. ISPs may slow down competitors, or put a premium on information outside their own provided content. There’s also more incentive to snoop. Watching what content is popular allows a company to decide when higher payments would be profitable. Now, thanks to the Order’s repeal, ISPs have a lot more leeway over what they can do with the information exchanged on their networks.
Reporting with The Verge, Zachary Mack took a look at what has happened a year after the repeal, with the results very discouraging. Per Mack’s article, instances of throttling specific internet connections are in practice. Privacy violations are also on the rise, such as ISPs selling the precise geolocation data of their customers. Consumers, meanwhile, are caught in the middle. Under the 2015 Order, consumers could lodge a complaint with the FCC over the treatment of their data. With the repeal, complaints are instead directed to the FTC, where longer wait times on investigations prevail.
4. The Trump Administration vs. GDPR: from Circling Distrust to the Breakdown of Privacy Shield
First, let’s be clear: the Trump Administration is not completely responsible for the breakdown of Privacy Shield. This came from the European Court of Justice’s July 2020 ruling, that Privacy Shield, the data-sharing agreement between the U.S. and E.U., failed to protect privacy and data protection. However, tensions between the Whitehouse and the E.U. over who has a right to privacy have played a part in the breakdown. Certainly, whoever takes the White House in November will have to address data transfers between the E.U. and U.S.
If a Trump win echoes past sentiments, it won’t be easy. When Trump became inaugurated in 2016, his actions immediately caught the attention of European regulators. Writing for Info-Security Magazine, Phil Muncaster how Trump’s executive order on “Enhancing Public Safety in the Interior of the United States” became a cause for alarm. Acting as a crackdown on illegal immigration, Trump’s orders meant privacy protections in the U.S. only apply to U.S. citizens. “Agencies shall, to the extent consistent with applicable law, ensure that their privacy policies exclude persons who are not United States citizens or lawful permanent residents from the protections of the Privacy Act regarding personally identifiable information.” Trump’s order made E.U. regulators remind U.S. counterparts of their responsibilities under the EU-US Umbrella Agreement, which extends privacy to E.U. citizens under the U.S. Privacy Act, the federal government’s code of fair information practices. An overview of the Privacy Act can be found with the U.S. Justice Department.
Two years after Trump became president, in 2018 the E.U.’s own privacy legislation went into force: the General Data Protection Regulation (GDPR). Unfortunately, when it comes the GDPR, neither the White House and the E.U. always see eye to eye. Past reporting from Politico reveals that the Trump Administration is less than keen on the GDPR. U.S. Deputy Assistant Secretary of State for Cyber Rob Strayer has concerns the GDPR may be protecting cybercriminals. This is because the GDPR also makes private the WHOIS database of domain name owners, a valuable tool in tracking online attackers.
The E.U. meanwhile, isn’t sold on the Trump Administration’s own privacy standing. His executive order set a questionable tone on the administration’s privacy views. As the Financial Times reports, the E.U. has already pushed the U.S. for a tougher stance on privacy.
Already, for United States organizations that process personal information from member countries, Privacy Sheild’s status as ‘invalid’ is making things difficult. Reporting for Axios, Ashley Gold notes, businesses now fear growing liability. Some 5,300 businesses relied on Privacy Shield to safely transfer data; that assurance is now gone. In Tech Crunch, Natasha Lomas puts it succinctly:
“Turns out neither a ‘Shield’ nor a ‘Harbor’ were metaphors grand enough to paper over this fundamental clash of legal priorities, when a regional trading bloc with long standing laws that protect privacy butts up against an alien regime that rubberstamps digital intrusion on national security grounds, with zero concern for privacy.”
5. The White House Review of New Privacy Regulations
While some of Trump’s administration have been less than happy with the GDPR, there’s no denying its appeal to U.S. residents. Since the GDPR has come into force, U.S. consumers are showing a growing appetite for more control over their data. Already a study by Pew Research in April 2020 shows that half of Americans will not use a product or service based on privacy controls. That’s a definite disadvantage, especially if competition from other countries demonstrates better safeguards.
To date, no new privacy regulations have passed in the United States at the federal level, but that could still change. White House officials have been looking into the possibility. In 2018, Axios reported on the activities of Gail Slater, special assistant to Trump on tech, telecom and cybersecurity with the White House National Economic Council. Slater had been meeting with industry groups over the possibility of new guardrails on personal data. Predicted outcomes included the development of national privacy standards or best practices.
Unfortunately, since then nothing has materialized. In 2019 the New York Times expressed dismay that while Congress, the Senate and the White House have all expressed an appetite for a new privacy law, it is nowhere in sight. In September of 2020 the Senate held another meeting on the subject, but as an election draws closer the potential for action is skeptical. Kyle Brasseur with Compliance Weekly sums it best with his briefing’s title: “ Déjà vu: Senate committee revisits need for federal privacy law.”
6. The Trump Administration vs. FISA: Renewals and Clawbacks
When it comes to privacy and surveillance, United States law enforcement is bound by legislated provisions. U.S. investigations, as Paul Bischoff for Comperitech writes, are shaped by three pieces of legislation: the Foreign Intelligence Surveillance Act (FISA), the USA PATRIOT Act, and the USA FREEDOM Act. During the four years President Trump has been in office, two sections of FISA have been up for renewal. Yet his administration’s support for each could not be more different.
In 2018, Trump signed a renewal of FISA section 702 into law. Per reporting from Wired, section 702’s renewal means it continues to be in effect and will remain so until 2024, when it will be once again up for renewal. What does this mean for privacy? More warrantless surveillance for one.
Provisions under Section 702 allowed the National Security Agency to carry out its PRISM program; the same program Edward Snowden leaked to the press in 2013. The law allows warrantless surveillance of foreign nationals, including electronic messages, emails and video chats. These records, in the hands of the NSA, may also be accessed by the Federal Bureau of Investigations (FBI) if investigating foreign nationals. However, as Wired’s Louis Matsakis points out: “citizens and permanent residents easily get swept into the dragnet”.
Yet the renewal was not a complete blow to privacy. 702’s renewal includes:
- Removal of “Abouts” collection. This means surveillance will continue on targets, but no longer includes conversations from other parties on the targets themselves.
- Requiring the Attorney General and the Director of National Intelligence (DNI) to adopt new querying procedures.
- Imposes restrictions on FBI collection of U.S. citizen data without a warrant.
- Changes that allow the Privacy and Civil Liberties Oversight Board (PCLOB) more supervision.
A full text of the changes can be at the Director of National Intelligence’s website.
How much support Trump had for Section 702 when he signed the renewal is unknown. On January 11th, 2018, he appeared displeased by 702’s renewal, tweeting concern over its abuse to surveil the Trump campaign by the Obama administration.
Oddly enough, per CNN this tweet was followed up with some clarification: no, this vote was acceptable as it oversaw surveillance of foreign nationals; “We need it. Get Smart.” Certainly, days later, he appeared on-board:
Analysts including Timothy Lee with ArsTechnica, note the ‘scandal’ Trump refers to is most likely a dig at the FBI’s investigation into his 2016 election campaign. What we know for certain is that after Trump told Republicans to drop it, most did. The House voted 284-122, defeating the bill. Per CNN’s summary of the event, Republican support, previously expected to pass the bill, disappeared in a tweet.
For privacy advocates, this can be seen as a clear win. Whatever his reasons for lashing out against Section 215, Trump ended the program’s continuation. As Lee suggests, Trump’s stance makes it unlikely any kind of Section 215 will hit congress for some time, putting it on hold indefinitely.
7. The Encryption Debate
The encryption debate, if backdoors should be designed to allow law enforcement access to encoded messages, is nothing new. A well-known case hit the media in 2015, when the FBI obtained the phone of an ISIS California shooter. Per Ethics Unwrapped: “lawyers for the Obama administration approached Apple for assistance with unlocking the device, but negotiations soon broke down.” Apple refused, but the case was dropped when the FBI could break open the encrypted phone without Apple’s assistance.
Unfortunately, the debate if public offices should be able to circumnavigate encryption isn’t over. In 2019, Peter Suciu with ClearanceJobs reported the White House discussing potential legislation. According to Politico, the government describes the encryption challenge as “going dark”. Senior officials have debated asking congress to outlaw end-to-end encryption outright.
Trump’s U.S. Attorney General, Bill Barr, is an opponent of unbreakable encryption. In January of 2020, he publicly criticized Apple for refusing to help de-encrypt a phone tied to a terrorism case. However, as writer Trevor Timm notes, Barr wasn’t asking Apple to help decrypt one phone. “Barr wants the ability to force Apple to access anyone’s phone if the government comes asking.” Moreover, Apple’s help, once again, wasn’t required: Reporting in May of 2020, Brian Barret with Wired revealed the FBI had been able to unlock the phone, without undermining the encryption. Barr has remained nonplussed. “There is no reason why companies like Apple cannot design their consumer products and apps to allow for court-authorized access by law enforcement while maintaining very high standards of data security.” This statement suggests that for Barr, the encryption debate has yet to be settled.
Certainly, Congress hasn’t given up. In February 2020, Nadita Bose with Reuters reported on another anti-encryption bill hitting the floor. Proposed by Chairman of the Senate Judiciary Committee Lindsey Graham, the “Eliminating Abuse and Rampant Neglect of Interactive Technologies Act of 2019,” or “EARN IT Act” has its sights on the technology sector. The bill would overturn federal law Section 230, make technology liable for state prosecution and civil lawsuits. Companies could avoid this by following best practices determined by the Attorney General… but per Bose analysis, there’s fear these “best practices” would include overturning use of encryption.
With less than 30 days before the election, the EARN IT act won’t be law before the election, but it is making gains. The bill passed the Senate Judiciary Committee in September, and will be sent to the House this month.
8. The Rise of Facial Recognition in Government Enforcement.
It’s no secret that facial recognition technology is advancing rapidly. Fact is, as Daria Leshchenko writes in Forbes, it’s almost impossible to escape facial recognition. Systems like Facebook already include facial recognition processing on photos posted online for fun. A renewal of your driver’s license in many states means your image is in a facial recognition database. The tech is being rolled out everywhere from airports to concert venues. Your face right now is very likely sitting in at least one system.
How does the Trump Administration view use of facial recognition by government departments? Favorably, if we follow the government’s track record over the past four years. The technology is already in use by various government departments. In July of 2019, the Customs and Border Protection officials were called to defend use of facial recognition before the House. This came on the heels of a hack on government subcontractor Perceptics earlier in the year. Reporting with the Business of Federal Technology states the Perceptics breach leaked data on tens of thousands of travelers.
While the CBP downplayed its use of facial recognition, it’s not alone as an enforcement department using the technology. From an investigation by the Washington Post, if you are registered within a state’s motor vehicle database, the FBI may have a profile of your face. The reality is, facial recognition is now a routine tool for law enforcement and other departments. As recently as August of 2020, U.S Immigration, Customs and Enforcement (ICE) signed a deal for licenses to Clearview AI. To put it in perspective, Clearview can no longer operate in some countries, including Canada, due to privacy concerns.
Yet if there’s a growing appetite for government access to data, there’s also calls for stronger restrictions. Upon learning of FBI and ICE use of DMV data, the House Judiciary Committee called for briefings on database use. Bans on use of facial recognition are now in place within San Francisco, Oakland, Boston, and most recently, Portland. As CNN Business reports, the DHS dropped a filing in 2019 to use facial recognition on all entering the U.S., including American citizens. In March of 2020, the American Civil Liberties Union filed a lawsuit against the Trump Administration’s facial recognition programs. Adi Robertson with the Verge reports the ACLU filed public records requests with multiple agencies under the DHS. Nothing is over by a long shot.
Trump has already signaled support for the technology’s increased use. In June 2020, he retweeted a member of his administration against facial recognition restrictions. However, this could have been less support for the technology, and more a dig at the company Microsoft. The tweet, as reported in the Daily Dot, was by former NSA director Richard Grenell. Grenell stated Microsoft should no longer be eligible for government contracts, given the company’s current stance to refuse sale of facial recognition technology without legislative safeguards. Microsoft isn’t alone; as of June 2020 Amazon placed a one-year ban on the sales of its facial recognition software to law enforcement.
Adding more fuel to the fire, as of September 2020, the DHS has a new proposal for stronger collection of biometric data. Chris Burt with Biometric Update covers the proposal, which would see DHS collect face, iris, palm and DNA data on immigrants to the U.S…. and those in the U.S. who sponsor them. If put into practice, it would mean an estimate of 2.7 million biometric records collected each year.
9. Hacking and Tracking Trump: The President Test-Case to Illustrate Geolocation Data Abuse
In December 2019, the New York Times ran an experiment for its privacy project. If they obtained data sets with over 50 billion location pings, what sort of insights could they find? The headline result was the location history of anyone they wanted, including the president of the United States.
By identifying one of the phones as belonging to a Secret Service Agent, the NYT could identify and follow the president’s entourage by a few feet. Using location data to identify the agent’s home, more data, such as name and spouse, were unearthed. The NYT article shows a map of tracing Trump’s whereabouts from Mar-ga-lago to Golf Club Jupiter to West Palm Beach, and back to Mar-ga-lago. The NYT story also illustrates additional senior officials they were able to track, and how the data might be abused.
To be fair, How to Track the President is not a privacy fallacy unique to the Trump Administration. The story could, and did, pick on a number of prominent officials; Trump was simply the most prominent. It’s also telling that, running a search through @realDonaldTrump‘s Twitter account days after, no rebuke to the NYT is given. Trump at the time, had far more pressing concerns: impeachment by the House. Yet one has to wonder what happened to the Secret Service agent who’s phone location was compromised.
It’s also worth noting months later nothing has changed: no new restrictions on geolocation tracking exist. If the NYT can find the president of the United States with such data, who else can federal enforcement find with access, and how fast?
10. When TikTok’s Practices Grab Trump’s Ire
If talking about the Trump administration’s impact on privacy, it’s impossible not to discuss the popular application TikTok. On July 31, 2020, per Buzzfeed News, Trump told reporters he was planning a ban on the app in the United States. Days later in August, the president signed the ban in an executive order that would begin in September. Trump’s reasoning? As Jason Wells and Pranav Dixit write, the app “captures vast amounts of personal data on users that could be used against American interests.” In other words, the app violated U.S. resident privacy. In particular, Trump pinpointed the blame on TikTok’s parent ByteDance, and Chinese headquarters.
There is some justification that TikTok is abusive to user privacy. In January of 2020, Teri Robinson with SC Media reported that the U.S. Army and Navy banned the app, calling it a national security risk. From a technical standpoint, the app has lots of holes. Bloggers Talal Haj Bakry and Tommy Mysk discovered data could be altered or tracked due to a lack of encryption. This vulnerability was later patched in May. In June, Zak Doffman with Forbes reported on TikToc’s exploitation of reading data copied to phone clipboards. This, after the company promised to end the practice in April; TikTok was caught by changes to Apple’s privacy settings in iOS 14. Privacy and security have clearly not been a top priority for developers.
However, as privacy advocates argue, the argument that TikTok should be banned due to bad privacy is a weak one. After all, why target TikTok for its massive data grabs, but not Facebook, Google, or other social media giants that follow the same practice? As Josh Lake for Comparitech notes, TikTok is no more dangerous for the average person than any other app. Is privacy the real reason for the crackdown?
It’s no secret that TikTok and Twitter campaigns caused embarrassment to a Trump rally in Tulsa, Oklahoma. Use of the social media tools encouraged activists to reserve tickets with fake names and not attend. The result? After grandiose claims by the Trump campaign of expectations for a huge crowd, attendance was one-third of their prediction. As Abram Brown with Forbes analyses, hurt feelings, not privacy, could be behind the call for TikTok’s ban. “It’s not clear if Trump even knew TikTok existed until the Tulsa rally. For instance, in the great many messages he has sent on Twitter, he still has never once mentioned the app.” The timing, as Brown points out, is also suspicious: two weeks after the rally’s failure, Secretary Mike Pompeo first talks about the ban. So is TikTok on the Trump Administration’s bad list for collecting American personal information and passing it on to China? Or is TikTok American privacy theatre, with no real intent of data protection in place?
Since the executive order, news on the application’s fate has been nothing short of a circus. Motive aside, an American president signing an executive order imposing a U.S. ban of an app is unprecedented. Deals continue over potential U.S. buyers and ownership, with CNN reporting on a joint-purchase by Oracle and Walmart. Meanwhile, the ban has hit legal challenges, with TikTok suing the U.S. government. The lawsuit gained traction in September when a federal judge issued an injunction on the ban. With the election looming, the application’s fate may be tied with what voters decide in November.
11. Going Forward
Predicting the future can be difficult during the best of times. Predicting a future for privacy with the Trump Administration may be nearly impossible. As this article demonstrates, the administration doesn’t have a “one size fits all” view of privacy.
Under the Trump administration, Americans have gained protections, like the non-renewal of FISA section 215, but lost the FCC’s privacy rules. Trump himself appears to have a mixed stance on FISA. Clearly, there’s anger over FISA’s part in potential data collections and investigations into the Trump campaign. FISA’s surveillance over foreign nationals, however, is well supported. There has been discussion by members of his Administration towards stronger privacy laws, but at the same time, there have been further calls to dismantle safeguards like encryption.
We do know that growth use of surveillance technology appears likely. The DHS’s proposal means more data gathered on those entering the U.S., and Trump has given the tech his support. For application privacy, is the potential ban on TikTok a warning to foreign interests in American personal data? Could be, but without a stronger stance on internal privacy protections it may remain anything goes for internal U.S. tech companies. One thing’s for certain: if there’s any appetite for a cohesive stance on privacy, whoever inherits the White House in January will have their hands full.
See also: