Q&A: Author April Falcon Doss

‘You Shouldn’t Have to Be a Privacy Expert’ to Understand Data Rights

By Rachel Looker   

Author April Falcon Doss has spent decades in the data-privacy and cybersecurity sphere.   

Currently a partner at Saul Ewing Arnstein & Lehr in Washington, Doss chairs the law firm’s cybersecurity and privacy practice and co-chairs its congressional investigations practice.  

She also spent more than a decade at the U.S. National Security Agency, as associate general counsel for intelligence law. Doss also served as the senior minority counsel for the Russia investigation for the Senate Intelligence Committee.  

A graduate of Yale University and the University of California at Berkeley, Doss is the author of “Cyber Privacy: Who Has Your Data and Why You Should Care,” released in November.  

Doss told Digital Privacy News that technology advancements had made it challenging for people to understand how to protect their digital privacy and described how federal legislation might address privacy concerns.  

This interview was edited for length and clarity. 

Why did you write your book?  

I was first exposed to data privacy and cybersecurity issues in the early 2000s, when I began working at the National Security Agency.  

At that time, consumer-data privacy wasn’t really something that people thought a great deal about, because we were just in a much different place in the evolution of digital technologies.   

This was before smartphones, before Facebook.  

“How do we find a way to continue using smartphones and social media and retain some measure of control over our information … ?”

Working in the national-security sector, we were focused on Fourth Amendment rights, we were focused on First Amendment rights — but the idea that digital privacy and the intersection between digital information and cybersecurity and personal privacy as something that affected everyday people in their everyday activities all the time wasn’t really on anybody’s radar screen yet.  

When did you start to see the change? 

Fast forward to 2016, when I left government to work in the private sector.  

Everybody had smartphones. Everybody is on social media. Everybody is using apps and devices that have really transformed the technology landscape.   

As I was doing privacy and cyber-related work in 2016 in the private sector, I thought: “Well, my goodness, I have lived and breathed this stuff for 15 years — and it’s hard for me to keep up with all of the changes on a daily basis … .  

“If it’s hard for somebody who lives and breathes this stuff to keep pace …, how much harder it must be for everyday folks who are going about their business living their lives, focused on other things.”

You shouldn’t have to be a privacy expert to have an understanding of what data is being created about you, who’s collecting it, how it’s being used — and what rights you have with respect to that data.   

The book placed high on Amazon’s best-sellers for privacy. Why?  

Americans, just like people around the world, are really facing this conundrum: We love the convenience and capability of the devices and apps that we use.   

There’s no question digital technologies have brought lots of information, entertainment, connectedness to the world. There truly are benefits and upsides.   

At the same time, people here and abroad really are worried that they shouldn’t have to give up any notion of privacy to take advantage of these technological benefits.   

That’s really this inflection moment we’re in: How do we find a way to continue using smartphones and social media and retain some measure of control over our information and some measure of autonomy and anonymity as individuals going through our everyday lives?

On a different topic, the Protect Our Civil Liberties Act was recently introduced to repeal the Patriot Act, which was enacted because of 9/11. Can Washington realistically pass such a sweeping bill?

We are going to see legislative proposals that are going to look at national security and law-enforcement users of data.  

There are people on both sides of the aisle who have concerns about civil liberties and privacy protections.   

“China has been very aggressive for many years in its efforts to steal intellectual property from industries around the world and across sectors. There’s no reason to think that is going to slow down.”

We know that we have a very closely divided majority in both houses of Congress — and for that reason, I suspect that, in order to get legislation passed, it’s likely going to have to be viewed as fairly moderate.   

We will probably see reforms that are going to look at some aspects of the Patriot Act, some aspects of general uses for policing and national-security purposes of data — but sweeping reform is probably not going to happen out of the gate.

How can a federal privacy law balance the needs of law enforcement with those of U.S. citizens?   

I would expect that Congress will probably want to address consumer privacy in the commercial context separately from consumer privacy in law-enforcement contexts, for a couple reasons.   

Why?

One is that there are very different potential consequences if personal data is misused by law enforcement that can lead to false arrest, false imprisonment, unjust convictions — very different consequences than having private companies selling personal data and using that to exploit opinions and gain commercial advantage.   

There can be good arguments for why some uses should be permitted by the private sector, but not the government or vice versa.  

Trying to tackle all of the data-privacy uses in a single piece of legislation would be so complicated that things could quickly get bogged down.   

What issues should a federal privacy law address?

We will likely see federal privacy legislation that focuses on establishing some baseline individual rights with respect to personal data … . 

We’ll see some baseline commercial obligations — with respect to transparency, portability of data, rights to opt out of collection — and some obligations, with respect to perhaps a national data-breach notification standard rather than the current state-by-state standard.  

That would be one set of federal privacy legislation.   

We will probably see proposals for separate legislation addressing things like the use of facial-recognition technology, drone surveillance and cellphone-location records and similar kinds of data for law-enforcement purposes.

There’s a great deal of concern about the use of personal data in the policing context. We will likely see legislation on that, but it will probably be separate legislation.   

What about the increased concerns about China regarding U.S. technology and intellectual property?

One of the things that we know is that China has been very aggressive for many years in its efforts to steal intellectual property from industries around the world and across sectors — from U.S. defense contractors, from technology companies.  

Certainly, there’s no reason to think that is going to slow down.

“We have a very closely divided majority in both houses of Congress — and … in order to get legislation passed, it’s likely going to have to be viewed as fairly moderate.”

We know that they are a highly capable cyber adversary, so we know they rely on both human intelligence spies and also cyberattacks to steal that intellectual property.

We know that they are very focused on the quantum computing and artificial intelligence race.   

What would result from advancements in this technology?  

There’s a race among the global powers to see who is going to achieve dominance in AI and particularly quantum computing.  

Of course, once quantum computing becomes a truly viable technology, that would really change the shape of encryption as we know it — in terms of how effective encryption is at protecting information.

I suspect we are absolutely going to continue to see the Chinese government take a very aggressive stance with respect to cyber espionage, traditional espionage — for technology-related purposes.  

Rachel Looker is a Washington writer.   

Sources: