A Tinfoil Hat – Data Protection and Security

For those of you that know me in my regular life, you will recall I can get a bee in my bonnet about data protection. Partly this is due to my previous professional roles and responsibilities. A frequent comment is that tinfoil hats are needed, as if my concerns and others are exaggerated.

Using the Internet, and any part of modern society means that your personal data is not personal or private, it belongs to big corporations and government agencies. I do not believe that governments will deliberately misuse the data. That is the way of conspiracies and tinfoil hats.

The scope though for data loss, data selling to third parties, (who will misuse it) and data errors will grow. Then, there are the criminal risks. If the security services need a backdoor through encryption, then that back door exists for anyone that can find it. Ashley Madison anyone, to name one hacking case.

This also goes to some of my more reclusive tendencies. Reclusive? I hear you exclaim, a sometimes writer with a twitter feed, email, Facebook page as well as this blog. However, when it comes to data, this tendency can become overactive.

I do not have a personal Facebook page, and my on-line activities are covered by occasional blogs and comments on Goodreads. I have author profiles on Amazon and other sites, I have a Linked-In profile but my other personal details do not appear. I do not share my birthday or medical details on-line and I would prefer it if the companies I interact with did not either. Nor, my financial details, spending patterns or other marketing led data. But we are in the era of big data. Having worked for one of the big credit reference agencies, I am aware of just how much data is known about me. More interesting, is the analysis applied to that data to be sold to other companies, which then results in marketing.

I recently received a mail shot from a marketing company offering me contact details on 5 million company directors. My details are probably in that list. How did they get that data (It might not be accurate of course,) but how? I did not give anyone permission to give my data to this company. But of course I probably did when I forgot to tick or un-tick a box on another web site opting in or out. Of course, I could have just wanted to run something, and hidden in the EULA was an explicit clause along the lines of “We may use your data with selected third parties, if you do not wish this to happen etc….” To use the product you have to agree. Next thing you are offered US Car loan deals in Wisconsin – I kid you not. Not helpful in rural England not New England – the original.

Why is this relevant? Well last week saw the European Court of Justice (ECJ) rule that one of the data safeguards used by many companies, including Facebook and many cloud providers, the so called Safe Harbor (US Spelling) rules, were not worth the paper they are written on. Under that scheme the European rules on data protection are upheld in the USA where most cloud providers and social media companies reside. 

This comes not just on the back of the Eric Snowden revelations about security service activities but also due to the USA’s Patriot Act. Under the act, American companies are effectively obliged to hand over all data. Then, there is the ongoing dispute involving Microsoft being asked to hand over data by the FBI held in an Irish data centre via a court order in a US Court without going through the existing legal agreements with the Irish authorities.

For cloud providers including WordPress what does this mean. In legal terms, it means that no European citizen or company can handover data to a US company and know that the data is legally protected from misuse i.e. selling on or using for a purpose other than which it was provided. Something that US companies do not seem to understand. The UK’s Information Commissioner Office (ICO) provides a very simple set of principles for managing data which meets European requirements but they too have been relying on Safe Harbor and other contractual protections called Model Clauses when data is processed outside the EU.

The EU and the USA are negotiating new data protection rules, but the bottom line for all of us is that if you use any cloud based provider that has any connection to a US company for any corporate or personal activity, you cannot expect any privacy. You cannot expect that any of your data will not end up in the hands of the US authorities, or sold on at the whim of a company. Expect more spam, and more targeted marketing built on analysis of everything from your inside leg measurement to who you discussed fashion with on a social media outlet.  The terms of service issued by the providers with all their associated privacy policies are worthless, and overridden by the activities of the US agencies and corporations.

A tin foil hat won’t help.

Data security post