Government operators can put private organizations in a bind, reports Alan Earls.
Most security and compliance professionals have plenty to do keeping up with the threats from bad actors, whether they are troublesome teen hackers, organized criminal groups or hostile foreign entities. If there are threats to security or privacy issues, they are the problem and one's own government is (usually) seen as trying to help.
However, events have shown that home governments and those of nominally friendly nations are far from angelic when it comes to honoring or protecting “protected” private information. Indeed, as leakers and whistleblowers have shown, the awesome power of governments, operating within the law and sometimes at its outer fringes, can be troublesome, potentially putting private organizations in a bind. Are corporate secrets and private information still safe when government agencies come calling?
The answer is: It depends.
The question of privacy is broad and its meaning varies with one's perspective. However, broadly, innumerable published reports and government documents have shown that the U.S. federal government has worked through various key players in the tech sector, particularly telecommunications providers such as AT&T and internet giants, to gain visibility into some or all of the traffic these entities handle. Other less strategically positioned firms sometimes faced similar requests to share data with the government. Some have pushed back but many have simply gone along. In addition, there is plenty of evidence of government agencies, legally or otherwise, scooping up data on citizens and, of course, on foreign entities and individuals, when and where they can. Sometimes, corporate sources are in that mix.
Globally, and in the U.S., the appetites of government agencies for information seem to have only grown more insatiable in recent years. Although promising “reform,” the eight-year Obama administration only expanded the U.S. surveillance state – even adding more authority to government surveillance efforts in its final days. A Trump administration intent on projecting an image of national strength and resolve seems unlikely to be any different.
But companies, stewards of information with a variety of legal (and some would argue, moral) obligations toward that information, are in a bind regarding the extent to which they can or should cooperate or resist, as well as how best to do either.
To some extent it depends on the nature of the organization and its attitude toward working with the government. The topic also bifurcates when it comes to the government's interest in the data on others that companies hold or process. Companies in the internet and telecom sector, for instance, seem to have been under the greatest pressure to work with the government while others, less so.
But all ultimately face the same issues. “If you just hand over data without insisting that government tell you why or at least circumscribing responses to only the specific requested data, you are enabling government overreach,” says Eva Galperin, director of cybersecurity at San Francisco-based Electronic Frontier Foundation, a privacy watchdog. “Even if you trust the U.S. government, you should realize that another government, say China or Russia, could come looking for data, too,” she warns. They might have a less clear legal claim, but may be in a position to retaliate against your business or your employees if you don't cooperate.
The takeaway, she suggests, is that businesses should minimize the data they retain so that they can reduce the likelihood of governments knocking on their door in the first place. Or, she adds, companies could employ end-to-end encryption as much as possible so that they minimize the amount of private data even they can access.