What to Do about Privacy

By now I'm sure everyone knows about how the NSA is spying on virtually every email coming in or out of the country, and nearly everyone that's connected, even indirectly, to anyone even vaguely suspicious. If you're not sure why we should care about privacy, read this piece by Cory Doctorow.

Brad Feld posted this morning about Lavabit committing corporate suicide. Lavabit is the company who provided Edward Snowden with secure email, and they were being forced by the US government (presumably) to violate their privacy/security agreement with their users. Rather than compromise security, they chose to end business operations.

What I found particularly interesting was the comment thread, in which Brad's readers were asking him to take a stance, and he said that he didn't yet know what action to take (more or less).

During my drive to work, I started brainstorming what possible actions might be. I don't know what would be effective, so consider this nothing more than a list of raw ideas.
  • Donate to the Electronic Frontier Foundation (EFF). They, more than anyone else, are the single point organization on the topic of privacy and security on the Internet. They're organizing information and fighting legal cases. 
  • Don't make it easy for people to spy on you. While we should assume that our emails, web browser activity, and everything else is widely available (both for legitimate government use as well as abuses of that power), we can still take steps to make it more difficult to be spied on. Some of these include:
  • If you are running a business, reconsider your use of cloud services. Although that's the direction we've all been heading in the last few years, is it worth the potential risk? How would you be affected if your private business correspondence, plans, and data were leaked to random folks, including your competitors? For many years the argument in favor of cloud computing was that you can leave the security to the professionals. Now that we know virtually all cloud computing companies are insecure, that argument is no longer valid. (Consider also that many companies host on AWS. If Amazon is providing data to the NSA, then every company using AWS is also compromised.)
  • If you're an investor in a tech startup, consider the cloud strategy for that company. Is privacy or security an integral aspect of what they're offering? If so, they should strongly consider hosting in a privacy-friendly country, like Sweden. The company itself might be better off being located outside the US. If privacy or security is an integral part of their product, this should be a serious concern. That doesn't just mean companies providing privacy or security as a product, but any product where the value of the product is threatened or diminished without privacy. For example, we can't even begin to comprehend how genetic data might be used in the future. I'd like to know where my 23andme data is housed. (Given that Google is an investor, is it on Google servers? Great, now the NSA has my genetic profile.)
Any other ideas?

Post a Comment