From policies and practices…
Without exception, consumers at companies need to take a greater interest in the privacy policies governing how data is handled by their technology providers, this ties in with the previous remarks about informed trust. The questions aren’t limited to the technology measures a supplier uses to maintain confidence, but rather about the business fundamentals and the underlying compass of business ethics/beliefs, and their resulting governance.
Consumers are forced to ask questions about the policies, corporate governance, and practices of businesses if they expect to reach an accurate conclusion. External audits and certifications do provide outside validation of practices, but often they merely state that an organization complies with basic “best practices”, and don’t necessarily question policies. The applicability of policies and beliefs are for the consumer to question and verify. Ad-driven email services aren’t appropriate for an energy company, but may be ok for a florist. Leaving all the customer records in the secure hands of one person within a healthcare firm simply isn’t appropriate (single point of failure), although it may indeed be legal.
Despite the best intentions of a DSP, there are limitations to what they can do to safeguard data.
The laws and regulations that govern business are factors that help consumers feel confident. A DSP may often have no choice but to cooperate with authorities. At times the process of complying with a requested disclosure of information can be a complicated process. Most firms are inclined to inform a user if their data has being requested by authorities, “unless this would harm the investigation”, or words to that effect. This information is often found in the small print of almost all data service contracts, and again, this emphasizes the “need to read”.
The concept of sweeping surveillance programs isn’t new but the potential scale and depth of data harvesting (afforded by modern technologies) has vastly outpaced the ability of lawmakers and elected officials to find a way to balance civil liberties and privacy with the needs of law enforcement. Again, this is a very loaded topic, and one we won’t enter. Everyone has their opinion on what constitutes reasonable and necessary pervasiveness, most DSPs will say, “we will comply with the law”, because that’s what they can do, no more, no less. And so we’re back to the concept of informed trust.
If a given firm isn’t comfortable with the rights to privacy afforded to them by the laws where their data is held, then they have to weigh the practical pros and cons more than only the principle of what those laws represent. Whether pervasive surveillance is damaging to a firm depends on the type of firm and how its customers are informed of that fact. Context and transparency are everything.
The reality is that some industries and segments simply won’t be hurt by these revelations of pervasive surveillance. Consumers continued to shop online in record numbers during the December 2013 holiday season. Exabytes of emails were exchanged. But some firms did move out from U.S. DSPs, and the number of private cloud and network implementations in Canada did go up. We’ve seen growth in our U.S. customer base.
Simply moving a hosted server out of one city into another won’t necessarily prevent authorities from doing what’s necessary to acquire the data. In fact, there are legal frameworks in place to facilitate this type of inter-jurisdictional cooperation. On an international scale, these are often referred to as MLATs, or mutual legal assistance treaties. In a nutshell, a MLAT is a templated process that allows authorities to share information and execute law enforcement processes. They can be incredibly cumbersome and costly in the manpower and money required to carry them out, so they tend to be reserved for higher risk investigations.
Measures like secure proxies and private encrypted networks can also help. The internet is a shared highway, that depending on the routes taken, can be tapped by any agent (law-abiding or not) on its way from source to destination. Routing information from Canada to Mexico means going through the U.S., unless someone wishes to implement a private satellite or international direct undersea cable link with no “man in the middle”. So, there are always options.
Privacy has a cost. And a price.
Part 1: Data privacy series This series discuss the challenges data service providers (DSPs) and their customers face.
Part 2: Data privacy series This series discuss the 3Ps and the criteria DSPs use to protect your data against threats.