Vviewpoints
DOI:10.1145/3300224
Privacy and Security
2018: A Big Year
for Privacy
Retracing the pivotal privacy and security-related
events and ensuing issues from the past year.
THE YEAR 2018 may in the fu- ture be seen as a turning point for privacy incidents and associated privacy- policy concerns. In March,
the Cambridge Analytica/Facebook
incident opened many eyes to the
unanticipated places personal data
reaches, and it continues to generate repercussions.4 Google shut down
its struggling Google Plus social networking system in October, after announcing it had exposed the data of
approximately 500,000 users,15 only
1% as many as involved in the Cambridge Analytica case. Facebook revealed another data breach in October, this one affecting a reported 29
million users.14
The open GEDmatch genomics
database, developed for genealogy
research, was used by police and
genetics experts to identify alleged
murderers in two “cold cases” and
several other crimes.8 The site’s
founders, at first uncomfortable
with its use by law enforcement,
seem to now be more comfortable
with it. Researchers subsequently
estimated that today approximately
60% of Americans of European descent could be identified from their
DNA, even if they had never registered their DNA with any site.6
Further, they forecast the figure will rise
to 90% in only two or three years.9
The John Hancock Life Insurance
Company announced it would sell
life insurance only through “
interactive” policies that provide financial
incentives to track policyholders’ fitness and health data through wearable devices and smartphones;2 and
the latest Apple Watch can take your
electrocardiogram.
Innovation has
its downside and
loss of privacy is
not easy to remedy.
On the policy front, the long-await-ed implementation of the EU’s General
Data Protection Regulation (GDPR) in
late May12 triggered many reviews of
corporate data privacy policies globally. These revisions required untold
numbers of clicks by users asked to acknowledge policy changes.
About a month later, under threat
from a strong privacy ballot initiative, California passed the California Consumer Privacy Act of 2018.1
It incorporates some features of the
GDPR and gives California consumers the right to know what personal
information businesses have about
them. Consumers control whom the
information is shared with or sold to,
and can request that information be
deleted. This law begins to require
consumer-facing businesses to live
up to some of the Fair Information
Practice Principles that were mandated for U.S. government systems (but
not commercial enterprises) by the
Privacy Act of 1974.13
“Personal information” in the
California law is broadly defined. It
includes biometric information, but