Today, digital technology is unlocking the power of our data. It can be used to improve our daily lives, to assist in disaster relief, or to find cures for rare diseases. But it can also be leveraged to manipulate, to mislead, and to discriminate against us.
In the US, data collection and use is largely without boundary. Because there is no fully functioning, comprehensive federal privacy and data protection regime, data can freely be sold in ways that risk disastrous consequences for real people. Information you give up can be reused in ways that can harm you, even if the original data collection was for a good cause.
A government database is therefore not necessarily good or evil, but history has lessons for us on the implications of collecting personal information without robust safeguards against abuse. It was not long ago that US census information, provided in good faith, was then used to lock Japanese American families in internment camps, a deep stain on human rights.
Today, human-rights advocates are rightly concerned about the database originally created for the US “Dreamers” program. In 2012, then-president Barack Obama announced the Deferred Action on Childhood Arrivals (DACA) program, which was created to defer deportation action and allow work permits for those brought to the US as children. DACA was implemented when Congress failed to pass the Dreamers Act—standing for the Development, Relief, and Education for Alien Minors Act—which would also have provided a path to citizenship.
To apply for DACA, you were required to submit your personal information to the government: your current and past addresses, your phone numbers, your fingerprints, your height and weight, and much more. Applicants submitted this information despite privacy concerns, because the objective of the program was explicitly to protect them.
When the program was implemented in 2012, Dreamer applicants were assured that their information would be “protected from disclosure to ICE and CBP for the purpose of immigration enforcement proceedings.” The problem is that this promise was made as part of a non-binding Department of Homeland Security policy, and there is no guarantee DHS won’t modify that policy in the future, particularly with a new administration.
The Dreamers program became a symbol of hope for those facing expulsion from their home. But when Donald Trump ran for office, he made dismantling it a foundation of his presidential campaign, and reportedly set about doing just that on his very first day in office in 2017. A presidential memo in September 2017 attempted to end the program, but it’s still alive, pending several lawsuits challenging its discontinuation.
The end of the program should mean destruction of the information in the database. Under the federal Privacy Act, passed in 1974, government databases—known as “systems of records”—can only be maintained so long as they are relevant and necessary. However, government agencies are fond of frequently exempting themselves from Privacy Act requirements. Many human rights advocates fear that because the Trump administration has shown interest in mass deportations, information in government databases could be retained and used to target the Dreamers; the same data they willingly provided to protect their futures could instead be used to target or deport them.
That’s not all we need to worry about. Information collected by US government agencies often has more protection than private databases. This means that the collection and use of personal data by US companies is an even wilder west.
Consider the private collection and use of genetic data. Kits from companies like 23andMe, Ancestry, and others have shot up in sales during the holiday season, as they seem like a relatively cheap and easy way to learn about your origins, or find out if you carry a genetic disease. For example, you might be to trace your lineage in a country with a history of slavery, since the data can reveal information about people of color that might otherwise be lost or actively obscured due to systematic oppression.
However, these tests also expose you to new forms of manipulation. The results can often be misleading, inaccurate, or even put your health at risk due to incomplete information. And it gets worse: Companies that collect genetic data have begun to sell access to their databases to big pharmaceutical companies. That means we could see medicines developed on the basis of incomplete research sold back to the public at exorbitant prices, with no real protections for privacy, and no compensation for the research subjects. By using these services, we’re handing over our unique data to a giant corporation with no real understanding or control over how it will be used.
Even more disturbing than unscrupulous commercial exploitation is the possibility that this sensitive information might then become subject to government access. This is not hypothetical: Police are already exploring this as an investigative method in the US, and in Canada, immigration officials have been using data from genetic testing companies to establish the nationality of migrants and deport them. Government surveillance laws broadly fail to provide adequate protections for genetic information, and we should approach these new policing methods with caution: DNA data has known to lead to a high number of wrongful convictions, and at-risk communities and non-white individuals are especially vulnerable.
If we can’t trust the government or private companies, then how do we protect people?
A robust law would have binding rules and hold all entities—whether a tech company or the US government—to account for bad behavior. Those who compile databases should have to show that it is being done for a legitimate, identifiable purpose, and individuals should have the power to determine whether to share their information, who has access to it, for how long, and for what reason. They must have access to remedy when their rights are violated.
These concepts are not new. Countries across the globe have had data-protection laws for more than 40 years, but the digital era has underscored the need for updated and robust protections. The US, which used to be a leader in privacy, is now lagging behind the EU, India, Tunisia, Brazil, Japan, and Argentina. Its poorly enforced Privacy Act and sector-specific approach, with demonstrably ineffectual Federal Trade Commission oversight, is of extremely limited value for protecting us from data breaches, data abuse, and manipulation, either by private or public entities.
Today it is clear that our data can and will be used against us. To protect our privacy in the digital era, we need more than good intentions: We need a comprehensive federal privacy law that will keep our private information safe when bad intentions take over.