Privacy Policy Developments and International Terror

Posted on by Joshua Marpet

Terrorism: The very word strikes fear into people. Even after over a decade of the "War on Terror," it's still frightening. What concrete outcomes have resulted from the war on terror today?

It's been shown, studied, and proven that people are willing to give up privacy in order to get more security. Has this resulted in any day-to-day changes to the way the Internet works? Absolutely. Example? So many free services! There's a famous saying about free services: "If you're not paying for it, you're not the consumer. You're the product."

Another change has been privacy policies. Privacy policies are the codified regulations that a website or company works under. Whether for a regulatory reason (HIPAA, PCI, ISO 27001) or to show that the company cares about the privacy of its customers, these policies are written down and promulgated to customers and the public. It's good PR to have strong privacy policies. People like their privacy, and they like companies who respect that.

That respect for privacy should be in effect even when data moves overseas. Safe Harbor laws allow U.S. companies to register as compliant with the European Union level of privacy protection. The compliance requirements for Safe Harbor include:

  • Notice "Your data is being collected. It will be used for X and Y purposes."
  • Choice: "Click here to opt out of data collection, and click here to disallow third-party usage of your data."
  • Onward Transfer: "Your data must only be transferred to third-party organizations which also follow good privacy policies."
  • Security: "Don't lose the data!!"
  • Data Integrity: "Don't collect irrelevant data! Make sure the data matches what you are seeking to research."
  • Access: "Click here to see what data we have collected, and to change or delete it, if necessary."
  • Enforcement: "There must be effective means of enforcing these rules."

But privacy policies have to keep reality in mind. If a government entity comes calling, with a court order, a National Security Letter, or any one of a few different documents, that privacy goes out the window. So terrorism, and the fear of terrorism, has affected the privacy of many customers.

Reading the privacy policy of a vendor is important. When will they hand over data, to whom, and under what circumstances? What countries will the data transit, be stored in, and be processed in? Who has access to the unencrypted data? Where are the decryption keys stored, and who has access to them? Which employees have access to the data or keys? What happens in the event of a government order, server failure, or seizure of the entire data center?

So, it seems that privacy policies must take into account encryption, governmental inquisitiveness, and the level of privacy the customer requires—all due to terrorism.

Is there anything that can be done? If a system is designed to keep the privacy of customers intact, even from the company providing the service, then the loss of privacy is negligible. Such zero-knowledge systems are built in order to keep privacy intact, from government, vendor, and anyone else.

There are multiple companies building or looking to build zero-knowledge systems. But can they truly be "zero-knowledge"? After all, a government subpoena trumps all privacy, doesn't it? Not necessarily. If the system is encrypted with a good enough cipher, and the vendor or hosting company does not have the decryption key, then nobody can touch it.

So terrorism has indirectly sponsored and encouraged the spread of zero-knowledge systems and high-level encryption systems. Strange connections, indeed!



cloud security cyber warfare & cyber weapons law privacy

Blogs posted to the website are intended for educational purposes only and do not replace independent professional judgment. Statements of fact and opinions expressed are those of the blog author individually and, unless expressly stated to the contrary, are not the opinion or position of RSA Conference™, or any other co-sponsors. RSA Conference does not endorse or approve, and assumes no responsibility for, the content, accuracy or completeness of the information presented in this blog.

Share With Your Community