9/11 Legacy: 20 Years of Unchecked Data Collection

The Morning of September 11th and its Lasting Impact

The events of September 11, 2001, are etched in the memory of nearly every American adult. I recall being on the second level of the White House’s West Wing, participating in a National Economic Council Staff meeting, when a Secret Service agent urgently entered the room, instructing us to evacuate immediately – even advising the women present to remove their high heels for a quicker departure.

Just sixty minutes prior, while serving as the National Economic Council’s technology advisor, I was finalizing briefing materials for the deputy chief of staff. These materials pertained to an upcoming Oval Office meeting with the president, scheduled for September 13th. We were nearing completion of preparations to secure the president’s approval for a federal privacy bill to be sent to Capitol Hill – essentially a more robust, national iteration of the California Privacy Rights Act.

A World Transformed

This proposed legislation aimed to establish safeguards for citizens’ data, mandating explicit consent before information sharing, and regulating both data collection and its subsequent utilization. However, the course of that day irrevocably altered these plans.

The White House was evacuated, and the ensuing hours were marked by a succession of tragedies that sent reverberations throughout the nation and the global community. Being present in Washington D.C. that day meant directly witnessing and experiencing the full spectrum of human emotion – grief, unity, disbelief, resilience, determination, urgency, and ultimately, hope.

Reflections on the Day After

While much has been documented regarding September 11th, I wish to focus on the subsequent day, September 12th.

Upon the National Economic Council staff’s return to the office, our leader at the time, Larry Lindsey, delivered a poignant message. He acknowledged that some might feel uneasy about returning, stating that we were all potential targets. He refrained from appealing to patriotism or faith, but instead, as an economist, appealed to our self-interest.

A Call to Action

Lindsey argued that if we retreated, others would follow, leaving a void in the defense of our societal foundations. He urged us to uphold our values, act with integrity, and not sacrifice freedom in the pursuit of safety and security. He implored us to “hold the line.”

The nation’s response to the September 11th attacks was commendable in many respects. However, as a professional specializing in cybersecurity and data privacy, I reflect on Lindsey’s counsel and the crucial lessons learned in the years that followed – particularly concerning the protection of our societal pillars.

The Role of Data and Missed Opportunities

Although the memories of that day remain vivid, two decades have passed, and we now recognize the significant role data played in the months leading up to the 9/11 terrorist attacks. Regrettably, we failed to connect critical pieces of information due to intelligence data being siloed in separate locations.

These data silos hindered the identification of patterns that would have been apparent with a secure framework for information sharing. Consequently, we vowed “Never again,” and government officials sought to enhance intelligence gathering capabilities.

The Patriot Act and its Consequences

However, this pursuit lacked sufficient consideration for the potential consequences on civil liberties and data security. The Patriot Act was enacted, containing twenty years’ worth of surveillance requests from law enforcement and intelligence agencies. Having participated in negotiations with the Department of Justice regarding the Patriot Act, I can attest that, despite understandable intentions – preventing future attacks and protecting citizens – the resulting negative consequences were far-reaching and undeniable.

Domestic wiretapping and widespread surveillance became commonplace, eroding personal privacy, data security, and public trust. This level of surveillance established a precarious precedent for data privacy, while yielding limited gains in the fight against terrorism.

The Abandoned Privacy Bill

The federal privacy bill that we had been poised to present to Capitol Hill in the week of 9/11 – a bill that would have solidified individual privacy protections – was ultimately shelved.

In the ensuing years, the cost of collecting and storing vast amounts of surveillance data decreased, enabling tech and cloud companies to rapidly expand and dominate the internet landscape. As data collection increased across both public and private sectors, more individuals gained access to private data, but without corresponding privacy safeguards.

A Glut of Data and Eroding Trust

Today, we are confronted with an abundance of unrestricted data collection and access, with large technology companies and IoT devices gathering data on our movements, conversations, relationships, and even our physical well-being. Data breaches – resulting from ransomware or simple misconfigurations – have become so frequent that they rarely garner significant media attention.

As a result, public trust has diminished. While privacy should be considered a fundamental human right, it is not currently being adequately protected, and this is widely recognized.

The Crisis in Afghanistan

The humanitarian crisis in Afghanistan serves as a stark illustration of this issue. Tragically, the Taliban have seized U.S. military devices containing biometric data on Afghan citizens who had supported coalition forces – data that could facilitate the identification and tracking of these individuals and their families. This represents a worst-case scenario of sensitive data falling into the wrong hands, and we failed to adequately protect it.

“Never Again” – A Recurring Plea

This is unacceptable. Twenty years later, we are once again compelled to declare, “Never again.” September 11th should have prompted a fundamental reassessment of how we manage, share, and safeguard intelligence data, but we have yet to achieve this. In both 2001 and 2021, our approach to data management has had life-or-death consequences.

Progress is being made, however. The White House and the U.S. Department of Defense have prioritized cybersecurity and Zero Trust data protection this year, issuing an executive order to accelerate the fortification of federal data systems. Fortunately, we possess the technology necessary to secure sensitive data while maintaining its shareability. We can also implement contingency plans to mitigate the risks associated with data falling into unauthorized hands. However, our progress is too slow, and delays will inevitably lead to further loss of life.

Rebuilding Trust and Transforming Data Management

Looking ahead, we have an opportunity to rebuild trust and revolutionize data privacy management. First and foremost, we must establish clear boundaries. We need a privacy framework that grants individuals inherent control over their own data.

This necessitates that public- and private-sector organizations invest in the technical infrastructure to enable data ownership and control, linking identity to data and restoring ownership to the individual. This is not a simple undertaking, but it is achievable – and essential – to protect our citizens, residents, and allies worldwide.

An Ecosystem of Open Source Solutions

To accelerate the adoption of robust data protection measures, we require an ecosystem of free, accessible, and open-source solutions that are interoperable and adaptable. By integrating data protection and privacy into existing processes and solutions, government entities can securely collect and aggregate data, revealing valuable insights without compromising individual privacy. These capabilities are available today, and we must leverage them.

The sheer volume of data being collected and stored presents increasing opportunities for American data to fall into the wrong hands. The devices seized by the Taliban represent only a small fraction of the data currently at risk. Nation-state cyberattacks are escalating, and this threat to human life is not diminishing.

A Call to Responsibility

Larry Lindsey’s words from September 12, 2001, remain relevant: If we falter now, who will defend the pillars of our society? It is the responsibility of public- and private-sector technology leaders to protect the privacy of our people without infringing upon their freedoms.

It is not too late to restore public trust, starting with data. But, will we, in twenty years, look back on this decade as a turning point in safeguarding individual privacy, or will we find ourselves repeating the same refrain: “Never again,” once more?