home/about-me | posts

Current state

There is no overarching federal data privacy regulation in the US, and “security” is maintained by a messy clump of narrow-scoped acts (most relevant being HIPAA, COPPA, and FTCA). The CCPA (California Consumer Privacy Act) is a semi-valuable stone buried in the clump, an attempt at “privacy”, emulating the GDPR (General Data Privacy Regulation) of the European Union. Recommended background on CCPA and GDPR here.


The world runs on data, and while that doesn’t particularly bother most people, the use it becoming increasingly invasive. Some form of proper regulation must be put in place on a federal level to maintain some semblance of privacy and security by default. More advanced forms need to be further developed, inspiring this draft proposal for an Extended Data Privacy Regulation.


Historically, implementing secure cryptography has been a challenge due to difficulties imposed by governmental bodies. There were Crypto Wars, instantiated when the NSA attempted to push a backdoored algorithm called DES, and then blocked any distribution of more reliable protocols (such as RSA, prompting rebellion and distribution of course, as is evidenced in this fun site). At the moment, the public has an acceptable variety of community-reviewed protocols available, however they are not always in use when necessary. Notable protocols that should be more heavily pushed are GPG, fully homomorphic encryption, and variations of post-quantum-cryptography. GPG specifically should be widely applied for optional signing/verification of EVERYTHING of value, including emails, code, and documents, and FHE should be used on particularly sensitive data such as medical records. Post-quantum crypto must continue to be developed (until stability) for those that require more comprehensive and future-proof security, and the available algorithms should coalesce into a strong mathematical paper, heavily cognated by the mathematics community (motivation for this will likely remain intellectual, as monetary is difficult to implement for a collaborative goal). Not all data should be encrypted however, as data still needs to be circulate to feed research and the progression of innovation, launcing me into my next point: Availablity.


Data may still be collected by default, mandatory opt-in is not the best strategy, however data collection and processing should be transparent. Data manipulation, processes must be made clearly and comprehensively public, and the option to access data at any point (and store anything possible locally) should be available, sans dark patterns. Data processing flows include any data collected (including movement across entities, profiling, and storage meta-information,proincluding fingerprinting data, IP logging, etc - not just Personally Identifiable Info). Data from any individual under 13 must be anonymized when processed. Anonymization of data as a whole is recommended when processing, because direct profiling may cause some public backlash when the previously mentioned transparency of processing is applied. When not interfering with currently standing legal constraints, all collected data must be made accessible (for use by researchers).


Tor must be decoupled from its government roots, and the “dark web/hacker” stigma ensconcing it must be blown away. Everyone should be aware of its existence, and running relays should be promoted. That may be most likely through incentivization: you only recieve as much bandwidth as you share (though building such infrastructure resistant to spoofing will prove difficult - perhaps a distributed ledger (I hate blockchain as much as anyone that has been seen it used to solve problems that don’t befit it but this seems appropriate)). Overall, the network should be expanded and modernized. Wifi networks should also become more impervious to sniffing, especially concerning Internet of Things devices (where vulnerabilities must be persued, mitigated, and patched aggressively - note that the aforementioned data privacy requirements apply to these devices too).


This is all just speculation, and most parts will be met with strong pushback from entities that would suffer from stricter regulation, however it is in theory doable and my idea (note: this is an opinion) of an ideal balance for data privacy. Maybe something like this will occur eventually. Maybe decentralization will reduce dependence on central data stores. Or maybe large tech companies will retain and strengthen their hold, a vice, an ever-spiraling drain on public information. Either way, current privacy measures for the general public are insufficient, though there are acceptable available measures for powerusers (Tor, GPG, etc). By “acceptable”, I mean “you can track me but I won’t make it easy for you”. Final comment: Privacy is an illusion and trying to maintain it is a fun game.