In this blog first published in the Guernsey Press, Bailiwick Data Protection Commissioner Brent Homan outlines how a ‘military chat group misfire’ reveals the value of federal privacy laws.
For full disclosure, I am a Canadian. As a Canadian I do have opinions on how my home country’s sovereignty has been disparaged by the current US government. Strong opinions. But that is for another time and place. Let’s talk today on how the absence of a comprehensive federal privacy law can contribute to a cultural or behavioural environment where a military operation can be debated and planned on a commercial chat platform with the editor of a news organisation being invited to the party.
Firstly, as far as privacy laws go, let’s reflect on what the US has and does not have. They do have a patchwork of state laws where data protection and privacy are enforced to varying degrees. Largely influenced by the GDPR, the most progressive of those laws is the California Consumer Privacy Act, which came into force in 2020.
The US also has the Federal Trade Commission (FTC) which can take enforcement action against companies who have violated consumers’ privacy rights or misled them by failing to maintain security for sensitive consumer information.
The FTC has an impressive record in carrying out this mandate including the issuance of a $5billion fine to Facebook in 2019 following the Cambridge Analytica scandal as well as a $700million fine to Equifax for its security failings in one of the largest global data breaches in history.
But what the US doesn’t have on a federal level, is a comprehensive privacy law that unites the key global data protection principles that you can find in other federal or supra-federal laws such Guernsey’s law or the GDPR.
So what does all this have to do with a ‘military chat-group misfire’? A lot.
Such federal privacy or data protection laws provide a strong framework and set out clear and instructive principles for the handling of sensitive information. Ask any police officer what their most effective enforcement tool is and they will often give you a one-word answer – presence. Knowing that a law exists, knowing that a regulator will enforce that law, and embracing that the law upholds fundamental rights that we hold dear to our hearts, will positively affect the security stance of any organisation, be it in the private or public sector.
Does that mean a federal law would have prevented Signalgate? Not necessarily, but it should have created the right ‘security culture’ mindset, lowering the possibility of it happening.
And what is at stake with such security missteps? With Signalgate we saw how a national security breach could potentially put lives in danger. And for any government, where trust of its citizens represents its greatest currency, a security failing on such proportions may injure that trust.
In fact, what is probably more confidence-jarring for citizens is the cavalier manner in which a military operation was discussed and executed, punctuated by emojis, as if a bunch of lads were chatting about where to meet up for a pint to watch a football match.
So yes, a federal privacy law might have helped. Secure and state-approved methods for hyper-sensitive transmissions exist, and ought to have been used. A legislated security safeguard framework can serve to imbed such use into the ‘muscle memory’ of government machinery.
And as to the role of federal laws in reinforcing respect for data protection rights, it is important to point out that these rights are a necessary precursor for other fundamental human rights and to support a democratic society. It is hard to think of a point in time since 2000 when global confidence in the integrity of democratic regimes has been more shaky.
Finally, notwithstanding the stunning nature of Signalgate, no public body is immune to such missteps. Last December my predecessor, Emma Martins produced a timely independent report for the Scottish Government highlighting risks with the use of mobile messaging apps and non-corporate technology for official government business. The Scottish Government has since decided to cease the use of mobile messaging apps, including WhatsApp, on official devices by spring 2025.
Many public and private sector organisations, while not using commercial messaging apps for ‘official business’, may still use chat groups for informally interacting off-line or coordinating social events. Our office has such a group. The danger then becomes the slippery slope of introducing ‘work-ish’ type exchanges, that if left unchecked, can lead to the communication of more sensitive information that clearly should be protected through official messaging channels.
So as spectacular a failure as the Signal misfire is, it is also an opportune time to enact that age-old adage – ‘let no crisis go to waste’. Whether that means getting serious about federal privacy laws or reflecting on your organisation’s own messaging security hygiene, valuable lessons abound.
&
Indulge