Government operators can put private organizations in a bind, reports Alan Earls.
Most security and compliance professionals have plenty to do keeping up with the threats from bad actors, whether they are troublesome teen hackers, organized criminal groups or hostile foreign entities. If there are threats to security or privacy issues, they are the problem and one's own government is (usually) seen as trying to help.
However, events have shown that home governments and those of nominally friendly nations are far from angelic when it comes to honoring or protecting “protected” private information. Indeed, as leakers and whistleblowers have shown, the awesome power of governments, operating within the law and sometimes at its outer fringes, can be troublesome, potentially putting private organizations in a bind. Are corporate secrets and private information still safe when government agencies come calling?
The answer is: It depends.
The question of privacy is broad and its meaning varies with one's perspective. However, broadly, innumerable published reports and government documents have shown that the U.S. federal government has worked through various key players in the tech sector, particularly telecommunications providers such as AT&T and internet giants, to gain visibility into some or all of the traffic these entities handle. Other less strategically positioned firms sometimes faced similar requests to share data with the government. Some have pushed back but many have simply gone along. In addition, there is plenty of evidence of government agencies, legally or otherwise, scooping up data on citizens and, of course, on foreign entities and individuals, when and where they can. Sometimes, corporate sources are in that mix.
Globally, and in the U.S., the appetites of government agencies for information seem to have only grown more insatiable in recent years. Although promising “reform,” the eight-year Obama administration only expanded the U.S. surveillance state – even adding more authority to government surveillance efforts in its final days. A Trump administration intent on projecting an image of national strength and resolve seems unlikely to be any different.
But companies, stewards of information with a variety of legal (and some would argue, moral) obligations toward that information, are in a bind regarding the extent to which they can or should cooperate or resist, as well as how best to do either.
To some extent it depends on the nature of the organization and its attitude toward working with the government. The topic also bifurcates when it comes to the government's interest in the data on others that companies hold or process. Companies in the internet and telecom sector, for instance, seem to have been under the greatest pressure to work with the government while others, less so.
But all ultimately face the same issues. “If you just hand over data without insisting that government tell you why or at least circumscribing responses to only the specific requested data, you are enabling government overreach,” says Eva Galperin, director of cybersecurity at San Francisco-based Electronic Frontier Foundation, a privacy watchdog. “Even if you trust the U.S. government, you should realize that another government, say China or Russia, could come looking for data, too,” she warns. They might have a less clear legal claim, but may be in a position to retaliate against your business or your employees if you don't cooperate.
The takeaway, she suggests, is that businesses should minimize the data they retain so that they can reduce the likelihood of governments knocking on their door in the first place. Or, she adds, companies could employ end-to-end encryption as much as possible so that they minimize the amount of private data even they can access.
However, at least from a legal perspective, there are some defenses for private organizations and privacy. For example, the Cybersecurity Act of 2015 included some liability protections for firms sharing data with the federal government, notes Scott J. Shackelford, Associate Professor of Business Law and Ethics, Indiana University. In other words, if private information were released inadvertently through an effort at sharing security information, the business would be shielded. However, “it is another matter if the government is accessing private data without the knowledge of the private sector party and that could open up other avenues for pushback, including litigation,” he explains.
Enza Iannopollo (left), a Forrester analyst in the U.K., has taken the measure of privacy regulations across 54 countries and examined how government surveillance is practiced and how personal privacy plays in broader regulations. Forrester's study, “2016 Interactive Data Privacy Heat Map,” of which she is a co-author, highlights a curious schism in attitudes by which, on the one hand, governments continue to implement ever more stringent requirements on how the private sector handles the data of individuals. On the other hand, though, most governments have increased their efforts to gain access to much of that same data – either by engaging with corporate sources or by expanding the government's own data-gathering efforts. In general, governments give themselves exemptions from privacy protections when it comes to national security so ordinary rules don't apply. “This is true across countries you wouldn't expect, including Germany, the Netherlands and Finland,” says Iannopollo.
In Europe there are regulations for data protection that span across 27 countries, but when it comes to surveillance each nation has its own domestic regulations, she says. “Last year, Microsoft won a court case in which they refused to disclose data in Ireland, which may be a signal that something is changing,” she says. Still, she adds, with most countries working on more surveillance the problem won't go away soon and there will probably be more conflicts between privacy and surveillance.
In the meantime, however, non-government organizations will have to muddle through. Benjamin Wright, a practicing attorney focusing on technology law, and a senior instructor at the SANS Institute, notes that corporate concerns about protecting privacy should also be melded with an awareness of the equally great perils of legal discovery. Discovery is a pre-trial procedure used by either party, under the law of civil procedure, to acquire evidence from the other through processes – such as a request for production of documents. In the age of electronic storage, the scope and scale of discovery has tended to expand. Thus, actions as diverse as a personal injury lawsuit, divorce or shareholder lawsuit could lead to extensive discovery activities during which large quantities of otherwise “private” information could become less so. And, of course, Wright notes, government agencies at all levels and across all functions are continually issuing subpoenas for information related to their activities that also produce similar privacy consequences.
At a strategic level, Wright says individuals and businesses are at risk whenever they put anything in writing. “If Hilary Clinton's campaign manager John Podesta had imagined that his emails would be stolen he never would have written all those stupid things,” he says.
Given the potential for loss, seizure or inspection by foreign governments, or even the possibility of being “hacked” legally while in flight by U.S. security agencies, Wright (right) says a good travel policy is to use encryption and VPNs and travel only with “blank” laptops that contain little or no important or private data. Similarly, with domestic surveillance at the local, state and federal level using devices such as Stingray (a Harris Corp. trademark), any conversation or transmission of information should be conducted judiciously. “Just don't say anything stupid, whether it is about a person or a business activity,” says Wright.
And, while there has been occasional talk about amending and updating the 1986-era Electronic Privacy Act to match the ubiquity and scope of today's privacy protection needs, Wright is not optimistic. “I never believe something will happen in Congress until it happens,” he says.
Keeping it private
On a more formal level, the first and most important preparation for protecting data from governments is making sure whether a request for data is actually legally permissible, says Joseph Carson, Cyber Evangelist at Thycotic, a Washington, D.C.-based company that works to prevent cyberattacks. For example, if an organization is a multinational company or the customers are global nationalities, then “while the request may be legal in the home country it might be illegal in other countries,” he notes.
This would be similar to why Safe Harbor was deemed invalid, Carson adds. The revelations of Snowden meant that companies that collected the data of European citizens and stored it in the U.S., potentially put those companies in breach of European data protection laws, he explains. Yahoo was issued a warning over exactly that problem. “While it is important to comply with local laws, it is also important to know clearly the laws of the countries and nation-states in which you operate,” he says.
Beyond the purely legal issues, Carson (left) suggests a very practical approach would be encouraging end-users to adopt encryption and private keys. This means that even if a government wants to access the data, the company has no ability to comply as the user holds the unique key, he explains. Other options include decentralizing and storing the data in each country of operation, as Microsoft has been doing with its Data Centers.
The best actions are to remove yourself from the equation, use end to end encryption, have the customer or users escrow or use their own private key, and store the data in a country in which laws best meet the customer's data protection requirements, Carson says.
There is one other defense method to consider, according to Wright. Under appropriate circumstances, lawyers always have a legal power of confidentiality, through attorney-client privilege and work product protections. “Working with a lawyer on sensitive matters could go a long way toward keeping matters private, or at least out of court, even if the NSA is listening,” he says.