A couple of weeks ago I had the honor of being invited to participate in a roundtable discussion about what the NSA’s surveillance means for business and entrepreneurship, hosted by the Silicon Flatirons Center for Law, Technology and Entrepreneurship and the ACLU of Colorado at the University of Colorado (CU) Law School. People with many different backgrounds and professions were represented – legal, business, technology, academia, and activism – and since Identity has been the main focal point of my career, I was thrilled to see so many people engaged on this critical and timely topic.
A lot of the discussion centered on an individual’s expectation of privacy. One thing that we all seemed to agree on is that, from a cyber security/privacy perspective, most Americans were much more concerned about the Target breach than they are about the coinciding revelations about the NSA/RSA “arrangement”. To me, that makes sense because the perceived threat of someone else using your credit card – or worse – is much more palpable.
We discussed how the needs of law enforcement conflict with the need for security and privacy for enterprises as well as individuals. For example, in practice, if an email service provider encrypts all data by default, it becomes much more difficult for law enforcement to use that data.
Another interesting topic was whether foreign companies can trust US-based service providers and data centers to store and process their data, in light of the Patriot Act and recent revelations of NSA/GCHQ “data collection” operations. A great review of the practical legal aspects of governmental access to private data can be accessed here. I think it’s interesting that treaties called “mutual legal assistance treaties” exist to effectively enable the same type of data to be accessed by foreign (and subsequently local) government agencies. Additionally, foreign governments – particularly European ones – have implemented policies not unlike the Patriot Act. Some have passed regulations attempting to protect personal privacy and security of their personal data as well.
Related to entrepreneurial strategy, we seemed to agree that a good thing for startups to do is to minimize the data that you store – wherever you store it – so that you will limit your exposure to (1) government subpoenas and (1) data breach.
On a final note, personally it is inspiring to know that passionate, dedicated and knowledgeable people like the ones who represented the ACLU exist and are part of the conversation. Over the last couple of weeks since the event at CU I’ve had a bunch of conversations on the topic with colleagues, friends, and even a couple of neighbors, and done a little research, and the process has made me change my view of privacy.
I used to feel like I need to “get over it” and get used to the idea that privacy is no longer possible or realistic. But I’ve realized that privacy isn’t a binary function – where you have it or you don’t — it’s a question of degrees. I think the new reality is that we have “partial privacy”. While all that data about us is online somewhere, access to this data is limited and dispersed. For now. As citizens and consumers, we all need to understand exactly what kind of expectation for privacy is realistic. I will share more thoughts on this in an upcoming blog entry.