Safe Harbor flip-thinking

European privacy laws turned out to be incompatible with the laws in the United States. Safe Harbor can therefore not be applied in European countries and now us Europeans are all obliged to move our data to European clouds. Aren’t we forgetting about the real important stuff here? Aren’t there more important aspects to privacy related issues? Such as identity theft?

Personal information gets stolen everyday and the incidents we hear about in the news are getting bigger and bigger. Millions of records are stolen each day. At the moment the amount of hacked data is so enormous, that such stolen information is only worth about $1 per person. And in the meantime we worry about Safe Harbor…

One of the Safe Harbor privacy principles is:

  • SECURITY: Organizations creating, maintaining, using or disseminating personal information must take reasonable precautions to protect it from loss, misuse and unauthorized access, disclosure, alteration and destruction.

I think the main issue here is the word reasonable. Time and again it proves to be very easy to illegally retrieve information from companies’ computer systems. A number of aspects makes this so easy:

  1. Forced access to systems is quite simple
  2. Data has been stored in such a way that you can easily recognize it as personal data
  3. Organizations store too much information and store it in an unprotected way

Apart from this, there are large issues with authentication dealing with most organizations. It turns out to be very easy to arrange important issues by just sending a copy of an ID, a credit card number or social security number. We are all changing our complex passwords every month, but in the meantime your system can easily be hacked by just getting access through badly protected services running in your domain, secured with default admin passwords that never get changed. We all do payments with the same 4 digit pincodes belonging to our debit or credit cards. And getting access to important information like tax records is badly secured as well, using passwords that you probably haven’t changed in years.

We are fooling ourselves with regard to authentication. The illusion of great security. The mere fact that the NSA can confiscate European data because it has been stored in US clouds is not the real problem. The fact that the NSA can so easily be hacked is the real problem. And the fact the the data is so easily accessible and understandable. Besides encryption, data should also at the very least be obfuscated.

Apart from that it is not only important to know with which cloud provider you’re doing business, but more so with which “shop”. And how much of your private information you give away. When you register yourself with a website, and that website is hosted on Amazon or Microsoft cloud servers, that is not a guarantee that your data is safe and stays private. The architecture of the web solution is of much greater interest. It can even be the case that your social security number or credit card number will be stored in a cookie, which can very easily be accessed by unauthorized persons. If the web developer has coded it like that because he thought it was a good idea, nobody will find out (in time). Only until it hits the newspapers…

As a civilian you really don’t have a clue where your data is stored and how safe it is. Safe Harbor is not going to change anything about that.

Maybe the best solution will be the fact that stolen privacy sensitive information is becoming less and less expensive to buy by criminal organizations. It’s almost not worth the bother of hacking a system anymore. If governments would only develop good laws to protect civilians, so that all civilians can for example have guaranteed access to health insurance against standard fees no matter how they behave according to their timeline on Facebook, privacy sensitive information is not relevant anymore. If obtaining a new bank account or mortgage can only be done by means of face-to-face authentication, leaking privacy related information is not an issue anymore.

If you always have the legal right to be able to prove that you have not done something, for example transferring a large amount of money somewhere, then all is alright. In today’s world, it is very easy to do that, with all the digital breadcrumbs we leave behind all day.

The solution lies in immutable architecture and Big Data. If everything will be stored, using distributed systems, and the relationships between all these data can be determined on an ad hoc basis instead of creating the data models up front, the burden of proof cannot be falsified and everyone is always able to prove you have not done something.

The problem of leaking or confiscating privacy sensitive data will solve itself… Devaluation of privacy information is the answer!

Cheers, Gijs

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s