Tech giants are increasingly using technology to combat threats to security and privacy, but a growing body of research shows that the use of such technologies can also be an expensive affair, according to a new report by the American Civil Liberties Union (ACLU).
The study, which analyzed more than 1,400 cybersecurity and privacy policies, found that the policies often provide no protection against hackers or cyberattacks.
The report, titled “A Cybersecurity-For-Privacy Solution,” was released Thursday by the ACLU to mark the 25th anniversary of the landmark Supreme Court ruling in the landmark Privacy and Civil Liberties Act of 1974.
“The cyberwar on privacy is only one part of the story,” said ACLU staff attorney Danielle Citron.
“This report shows how cyberattacks are often more about data theft, access control, and more than simply hacking or theft of personal information.
This is a troubling trend that the federal government must act on now to protect our privacy and freedoms.”
The ACLU study, published in the Washington Post, found policies that did not address the use and privacy of cybersecurity and data breaches have been used by companies to justify their use of the technologies.
For example, the U.S. Navy’s policy on cybersecurity and its cyberwarfare policy do not address breaches by cybercriminals, but instead recommend that businesses use “critical infrastructure” to protect their networks.
The Navy also does not address data breaches by foreign governments, even though the report found that some of the companies with the highest levels of data breaches had the most policies that do.
“Companies have to be honest with their customers about the risks and benefits of using their products and services,” Citron said.
“There is no doubt that the government can and should be working to prevent data breaches.
But there is also no doubt about the need for companies to protect data, including personal data.”
The report also found that policies that explicitly address cybersecurity and cyberattacks do not always include clear privacy or security policies.
A policy for “critical systems” at the Department of Homeland Security, for example, states that it is “essential” for government systems to provide “security and integrity.”
However, a section in the policy that explicitly provides for privacy or cybersecurity protections is not included.
The policy states that “critical services will be made available to protect the privacy of the individual user” and “will be made as accessible as possible to the public.”
The policy does not provide privacy or data security policies, nor does it specify what information can be shared or how to implement the policies.
According to the report, the policies for critical systems are typically “in the hands of the vendors and are not subject to any user review.”
However: “A significant number of critical infrastructure systems have not been reviewed by the Department for privacy, security, or other purposes, which raises serious privacy concerns.”
In some cases, the Privacy and Electronic Communications Privacy Act of 1978, commonly known as PECPA, is cited as a source of information.
However, the ACLU report found “no specific information about how the federal agencies and their contractors are using these privacy and security provisions, and there is no evidence that the DHS and the companies that own critical infrastructure have been required to implement them.”
While many of the policies are voluntary, the report says they often are “used as a tool to force companies to violate users’ privacy rights.”
The reports findings also raise concerns about the use, disclosure, and retention of cyber and data privacy information, which has not been addressed by federal law enforcement authorities.
For instance, the DHS has not implemented the Privacy Act’s mandatory requirement that all data collected on users be retained for five years.
The DHS does not have a privacy plan, and it has no written policies on data retention, said David Baskin, the director of the Electronic Frontier Foundation’s privacy and data security program.
“In the past, privacy and information security policies were written in clear language and included clear instructions on how to properly manage personal data,” Baskins said.
However the Privacy Protection Act of 2006 requires the federal data security agency to set up a data security plan.
According the DHS, the information security plan should “provide for the protection of personal data, such as email addresses, credit card numbers, and other data that can be used to identify individuals, organizations, and entities.”
The Privacy Act also states that companies must provide access to customers’ email and other sensitive information to government agencies and contractors.
“While the privacy protections outlined in the Privacy Protections Act of 2002 are strong, they do not provide for the collection and retention or disclosure of customer information without the permission of the user,” the Privacy Information Protection Act (PIPA) of 2001 states.
The Privacy and Security Act of 1998 also requires companies to provide access “to customers’ personal information, including their credit card and other information.”
However the law does not specify what specific information can or cannot be accessed.
Privacy and security guidelines at the DHS do not require companies