HomepageCommercial LawPrivate LawPublic Law & Human RightsCriminal LawEU & International LawCareers

Accessibility

Have Irlen Syndrome, or need different contrast? Click the button below for options.

Background Colours

Subscribe

Enter you email address below to subscribe to free customisable article notifications.

Alternatively, click the button below for our various RSS Feeds (available journal wide, or per section).

Data Privacy: Due Diligence Due?

About The Author

Chris Bridges (Executive Editor)

Chris is an IT and Data Protection solicitor at a top 20 full service firm and the founder of Keep Calm Talk Law. He also contributes to Computers and Law and other sector specific publications.

[Read More]

Update 09/04/2014: A recent survey by NTT Communications has revealed the extent to which Edward Snowden has affected business decision making in relation to the utilisation of the cloud. Some additional notes have been made below reflecting the results. Download the survey results.

In this day and age, you do not have to look far to find references to the alleged surveillance state we live in. Only last week London saw a bonfire night protest, led by the activist group Anonymous, campaigning against an increase in state surveillance. Scenes reminiscent of ‘V for Vendetta’ unfolded as thousands of masked protestors took to the streets, including the not so anonymous Russell Brand.

How extreme is this surveillance state? It depends largely on your personal perspective.

Are people’s perceptions of the security of their data necessarily true? It seems not.

The Catalyst

The idea of a surveillance state is by no means a new one. Many of you may have read George Orwell’s novel ‘Nineteen Eighty-Four’, published in 1949, which envisages a tyrannous society with omnipresent surveillance. Even if you have not read the novel, you will undoubtedly have heard of ‘Big Brother’ the reality TV show named after one of Orwell’s characters, or heard the phrase “Big Brother is watching you” which also derives from Orwell’s novel.

There is no doubt, in 1949, society’s awareness of state surveillance would have been raised by Orwell. However this soon died down.

Arguably, the Orwell of our time, prompting recent public awareness, is Edward Snowden, an American computer scientist who leaked details of numerous top secret surveillance programs in May 2013.

Snowden is still making the headlines causing a souring of American-Russian relationships following a decision by the Russian authorities to grant Snowden temporary asylum, prompting Obama to withdraw from meetings with Putin, the Russian president.

Unlike Orwell’s revelations, Snowden’s were very much a reality.

So what did he leak?

Most notably, details of the US PRISM program operated by the National Security Agency (NSA), and the UK’s equivalent Tempora program operated by GCHQ (not to be mistaken for the more tasty Japanese dish, Tempura).

The two programs are not dissimilar – both monitor telecommunication traffic, storing intelligence, which may very well include your personal data (as un-valuable intelligence as it might be).

This article is not concerned with whether Snowden was ‘right’ in disclosing these details; that is another topic entirely. Here, we are concerned with the ‘panics’ these disclosures have caused, and whether the right assessments are being made by layman with regard to international data privacy.

Comparative Privacy

You may well have heard people talking about whether data is ‘safe’ in certain countries, or suggesting data is far ‘safer’ in one country than another. Whilst it is without a doubt true data is safer (in the sense of privacy) in some places than others, many conceptions of where data is safest, or even safe, are entirely wrong.

Quentin Archer, Winston Maxwell and Christopher Wolf have recently made a number of observations regarding data safety in a range of countries, and the misconceptions people have with regard to governmental access. Here, we go through these.

Due to the 2001 USA Patriot Act, people believe the US government has greater power to access people’s data than other countries. Wrong. Arguably, data is actually more private stored in the USA than in many European countries.

Out of the countries compared:

  • the USA and Japan were the only countries to criminalise voluntary disclosure by internet providers of customer data.
  • the USA and Germany were the only countries that have made it a requirement that the customer be notified if their data is disclosed to a governmental body by the provider (with a few exceptions)

Among the factors assessed, the USA had on the whole comparable access to the other countries assessed, meaning the USA arguably comes out as the ‘safest’ country to store data (but by no means entirely safe from governmental snooping!).

There are of course other considerations that should be taken into account when assessing the safety of data in the USA. Most notably, non-US citizens are not afforded the same protection as US citizens (probable cause is not needed) and the US Supreme Court may not have the power to protect non-US citizens outside the USA. See Judith Rauhofer’s response to the trio’s article for further information.

One area in which the USA was not the safest, ‘beaten’ by Germany and Japan, was the storage of data overseas. In many countries, it does not matter whether your data is stored abroad. For instance, if a US headquartered company stored its data in another country, the US government could require production of data stored abroad simply because of their physical presence in the US. However Germany and Japan do impose a prohibition on accessing data physically outside of their borders, even when the company is based within.

The trio also suggest that due to Mutual Legal Assurance Treaties many physical borders are obsolete when it comes to governmental data access, regardless of the above points. These agreements stipulate that one signatory state can request information from another signatory state for the purpose of lawful investigation. If you have something to hide, and believe by storing your data off shore you have hidden it, you may be mistaken if one of these treaties is in place. These, where applicable, make stipulations that data is safe from the grasp of governmental authorities untenable. If there is a lawful reason to investigate, say goodbye to your privacy.

Finally, many do not take into account the route data takes when it is transmitted from a PC, laptop or smartphone to a secure server. Data does not fly in a straight line. It is routed between numerous servers, potentially around the world. Consequently, businesses may think their data is safe from the clutches of the US PRISM program because they send data from their London offices to remote servers in mainland Europe, but in actual fact this transmission may well have gone via a server located in the US. If it has, it may well have been intercepted.

These points are of course only relevant to governmental access, which is only one consideration when deciding where to store data. Other considerations might be national industry standards regarding network and facility security.

Nevertheless misconceptions are being made about the extent of the surveillance state, not just in the UK, but globally.

(For a full tabular comparison of the studied countries, see this pdf document, courtesy of the aforementioned authors).

Update 09/04/2014: Recent surveys suggest over 31% of businesses are moving data to somewhere they believe it will be safer following Edward Snowden's leaks. 97% of respondents within the EU now prefer data to be in their own locality.

These Misconceptions Could Cost

Misconceptions such as these may very well cost organisations. Before making public assertions regarding the safety of customers’ data, companies need to thoroughly investigate the legal implications of locating their data in a certain territory. It is not enough to simply assume data is safe due to its location. If they do not, they could be opening themselves up to litigation from their customers, mislead on the privacy of their data.

Due diligence is due. Governmental access to data is by no means a simple topic. This article has barely touched on the plethora of considerations that must be made before deciding where to store sensitive data, whether it be customer data or the company’s own confidential files. Companies should seek proper legal advice before storing sensitive data anywhere, and not rely on misguided assumptions.

Update: 09/04/2014: The recent survey shows around 52% of businesses are now carrying out more extensive due diligence in relation to their cloud service contracts.

For the most confidential of files, I pose the question – would the wisest thing to do be simply to not digitise the data or place it on a machine connected to the internet?

As the digital age progresses, it is likely to become more and more difficult to ensure confidential data does not fall into the hands of others. It is almost a ‘rule of life’ that a benefit does not come without some form of burden. Whilst digital storage of data allows ease of access, rapid transmission, complex automated analysis and many business-changing features, it is not without pitfalls. By placing data on a machine connected to the Internet, you are opening yourself up to the possibility of someone thousands of miles away accessing your data, be it a government body or an amateur hacker. This is a risk you take. If it is a risk you should not be taking, then do not take it. Nevertheless, if the government wants whatever you are hiding, and believes you have it, only a warrant lies between them and your physical data.

Update: 09/04/2014: The recent survey shows 62% of businesses that have not already moved to the cloud are now reluctant to do so.

A Few Personal Thoughts

I personally have an inherent trust in our government, be it rightly or wrongly. I do not believe our government, or our future government would even consider imposing the state of tyranny seen in Orwell’s novel. Yes, the programs leaked by Snowden had been kept secret from us but a key part of that decision was undoubtedly because the programs were more likely to detect threats if they were not in the public eye.

Would it not just be better to accept that this is the age we live in? Does it really matter that the government could access your personal data? Millions of people each day broadcast information across the internet without a second thought. Most people will have signed up to a website at some point in their life, checking the ‘I accept these terms and conditions’ without even glancing over them; who knows what you could be allowing the website to do with your data.

Personally, I am more concerned about corporations using my personal comments and my picture on advertisements than I am about the government accessing my data. I have nothing to hide from any government body; the same can be said of most people and businesses. I am happy for governments to monitor my usage of the Internet in order to prevent crime; if they did not monitor data, criminality could run undetected.

What I am not happy with is large corporations being able to exploit personal data to make money, through sheer unawareness and lack of choice. I wonder how many of Google’s users know their picture could be used in an advert all over the Internet? I expect the majority of these would be unhappy about it.

What does however make me question my trust of government, is Snowden’s latter, and less publicised leak; the ‘Bullrun’ program. Over the last 20 or so years, the NSA has by brute force, agreement or clandestine means inserted ‘backdoors’ into widely used industry standard encryption systems, or in other words created a ‘master key’ for common encryption standards. Ever noticed the green padlock or address bar when you are filling in an order form online? The encryption method used to do this (SSL) is one of many that has potential vulnerabilities to US government intrusion. It is relied on by millions of companies to keep data secure as it is transmitted over the Internet.

This, I feel, is a step too far, and does break my trust to some extent. If they really have deliberately created backdoors, it may only be a matter of time until someone else knows how to use it. When this happens data we thought was secure using ‘the latest industry standard encryption’ is open to anyone. They have inserted vulnerabilities, and then allowed them to be marketed as secure. This is deception, not secrecy. I sincerely hope the UK has not been involved in such deception.

Resources / Further Reading

Quentin Archer, Winston Maxwell and Christopher Wolf, A Global Reality: Governmental Access to Data in the Cloud.

Quentin Archer, Winston Maxwell and Christopher Wolf, government data access comparative table (PDF Download).

Judith Rauhofer, Governmental Access to Cloud Data: A Response.

Ian Brown, Lawful Interception Capability Requirements.

Steven J. Vaughan-Nichols, Has the NSA broken SSL? TLS? AES?

Sebastian Anthony, NSA and GCHQ have broken internet encryption, created backdoors that anyone could use.

Daisy Wyatt, The Independent, Russell Brand joins thousands to protest for Anonymous Million Mask March.

For the latest articles straight to your inbox, you can subscribe for free. Alternatively, follow @KeepCalmTalkLaw on Twitter or Like us on Facebook.

Tagged: Commercial Law, Privacy Law, Technology

Comment / Show Comments (0)

You May Also Be Interested In...

The Ashley Madison Scandal: It’s About More Than Infidelity

14th Oct 2015 by Rachel Dean

How Long Until Privacy Prevails?

13th Sep 2014 by Chris Bridges

Is There Really a ‘Right’ to be Forgotten?

17th May 2014 by Chris Bridges

It's not the end of the line for data retention

10th Apr 2014 by Chris Bridges

Online Pirates, prepare to be boarded! Right after we borrow a ship…

5th Apr 2014 by Chris Bridges

Google to get a slap on the wrist for ‘stalking adverts’?

25th Jan 2014 by Chris Bridges

Section Pick May

Taming the Retail Giants: The Impact of Mergers & Acquisitions on Competition

Editors' Pick Image

View More

KCTL News

Keep Calm Talk Law: Moving Forward

3rd Sep 2019

Changing of the Guard: Moving Keep Calm Talk Law Forward

12th Aug 2018

An Anniversary or Two: Four Years of Keep Calm Talk Law

11th Nov 2017

Rising from the Ashes: The Return of Keep Calm Talk Law

18th Nov 2016

Two Years On, Keep Calm Talk Law’s Legacy is Expanding

11th Nov 2015

Twitter

Javascript must be enabled for the Twitter plugin to function. Click below to visit us on Twitter.

Free Email Subscription

Subscribe to Keep Calm Talk Law for email updates, and/or weekly roundups. You can tailor your subscription on activation. Both fields are required.

Your occupation / Career stage is used to tailor your subscription and for readership monitoring.

Uncheck this box if you do not want to receive our monthly newsletter.

By clicking the Subscribe button, you agree to our privacy policy and terms of service. Please ensure you read these in full.

Free Subscription