A GDPR ripple effect will help bring internet privacy back from the dead, Jon Callas predicts

Written by

Despondent internet users who love the convenience smartphones have brought but regret losing control of their data have reasons to be optimistic, according to a veteran technology industry executive who left Silicon Valley to work for the American Civil Liberties Union.

Jon Callas, a computer security expert who left Apple for the ACLU last year, said Monday it’s become too easy to become nihilistic about personal privacy because of the last decade of negative headlines about corporate data collection. But international rules and legislation have started to adjust for the digital age, Callas said, predicting that users will not tolerate constant location tracking and other tradeoffs made in the name of efficiency.

“The good news is that the privacy situation has gotten so bad that people want to change it,” Callas said during a presentation at the RSA security conference in San Francisco. “That means that over the next five to 10 years we’re going to see the pendulum swing back the other way.”

Callas also served key roles in the development of PGP encryption and at Silent Circle, which created the Blackphone, once touted as the most secure Android phone available. He said there are several reasons to expect that corporations and governments will not collect and store personally identifiable information without oversight — including Europe’s General Data Protection Regulation, recent U.S. court decisions, California’s upcoming privacy law and a law in Illinois that limits the collection of biometric information.

GDPR, for example, requires all companies that collect personal data about European Union citizens to be transparent about the reason for collection, to be prepared to delete some data as a user’s request, go public about a data breach within 72 hours, and follow other guidelines. Similar measures are included in California’s Consumer Privacy Act, legislation set to go into effect next year over the objections of the tech industry.

“Number one on the list of where we’re getting things right is GDPR,” Callas said, adding that U.S. companies have been upset over the measure because it forces them to prioritize the protection of user information.

“It’s certainly not perfect, but what it’s making us do in terms of looking at user privacy in a more rigorous way will help us advance,” he said. “Smart companies are doing GDPR for all users … and this is a really good thing.”

User skepticism about corporate data collection also has provided a market opportunity for tech giants like Apple and Microsoft to specifically market their products as privacy-conscious. Now, companies offer laptops that encrypt user data by default, a significant upgrade from the previous generation of technology, he said.

The march toward privacy utopia is not inevitable, however, Callas said. He warned that a significant fraction of the international economy will continue to rely on monitoring users, then reselling that information until it no longer is profitable.

Another discouraging sign, he said, is the legalization of encryption-breaking measures. Callas cited Australia’s passage of a law in December that authorizes law enforcement to compel technology companies to create a security vulnerability that would give them access to otherwise protected messages.

Now, he said, India is engaged with Facebook on the creation of a backdoor in WhatsApp, and China increasingly is interested in similar rules.

“The idea of surveillance backdoors is not going to be something that’s limited to this little club of good democracies are doing and not the others,” he said. “Countries are starting to say, ‘Hey if others are doing that, we want in, too.’”