Welcome to the SecAware blog

I spy with my beady eye ...

26 Jan 2016

Privacy wars: US v The World

Fundamentally different approaches to privacy in the US compared to most of the rest of the world, the EU in particular, are causing headaches for organizations, governments and regulators on both sides.

For a while, the Safe Harbor arrangement was deemed adequate by the EU, enabling data on EU citizens to be passed to and processed by US organizations that pinky-promised to take care of it. Surprise surprise it didn't last. Self regulation - well not even that, simply asserting compliance - was a joke.

Snowden's recent revelations concerning mass surveillance by the NSA have opened a bigger can of worms: it seems the US gummt can bully its way past even its own legislative controls, and gag the companies it forces to disclose whatever information it demands. Ostensibly, the EU does not permit that kind of thing - although since EU countries face the same threats of terrorism, anarchy and chaos, I would not be aghast to discover that surveillance is simply more discreet in the EU, aside from the cosy 'five eyes' arrangements actively exploiting differences of law between the partners.

With impending changes to EU privacy laws likely further to extend both the definition of personal data and the privacy controls required, and the recently-enacted CISA law in the US, the stage is set for an almighty bun-fight.

Those fundamental differences of approach I mentioned underly all of this. As I understand it:
  • Personal information about a person belongs to that person, in the EU. They may choose to provide it to organizations, but it remains theirs, hence they still have control over it (or at least they should have*); 
  • Personal information about a person belongs to whover holds it, in the US. The person cedes ownership and control when they provide it to organizations.
Three obvious solutions include:
  1. Stopping the transfer of personal data on EU citizens to the US ... and stopping the unauthorized surveillance/interception/theft of such information by the NSA or other gummt bullies;
  2. Giving up on the EU privacy principles, and on privacy as we know it;
  3. Forcing US organizations - including the gummt - to provide decent privacy controls over personal data.
All three options are costly, disruptive and less than satisfactory.

Perhaps we need something less obvious? Maybe tokenizing personal information would help? Maybe dismantling Big Brother would help, if it's not too late already.


* On a personal note, I'm currently battling a French company that is refusing to delete my personal data and stop spamming me unless I first provide even more personal data to prove to them that I am really me. Oooh the irony of it.

No comments:

Post a Comment