We’re still waiting for encryption standards

Consumers are responsible for ensuring the data they share is secure


Published:

What if you left your daily weight loss journal open on your desk, and after walking away from it, another person sat down and began reading about your late-night snacking habit – especially the embarrassing time you ate three pints of Cherry Garcia during the season finale of “Game of Thrones”? Would that be an invasion of your privacy?

What if the journal was closed? Had a lock? How would that change the conversation?

In many cases, the only thing standing between hackers and your private data is an outdated, unencrypted computer server with the most basic security settings.

News headlines are fraught with tales of yet another data breach allowing unknown entities access to our most personal health, financial, social and behavioral data. Why is this happening? Because it’s so easy. Our country’s businesses, private organizations and government are lacking process, policy and awareness around gaping holes in digital security, thus disregarding their obligation to protect their (and our) most precious asset: data.

That data – our Social Security numbers, responses to online forms, social media interactions, grocery shopping purchase histories, or banking information, for example – is stored within the computer networks of businesses large and small. And while best practices in information technology do exist to keep that information safe, there’s no requirement to follow them. The zeros and ones that comprise your digital identity could be easy to access, and even easier to use for nefarious purposes.

In the latest headline-grabbing incident, the personal information of 22 million people was compromised after hackers working for the Chinese state infiltrated the computer system at the federal Office of Personnel Management that stored human resources information for government employees

In June, the American Civil Liberties Union of New Hampshire held a workshop for technology leaders in the state who have the potential to be leaders in data security by evaluating their current systems and ensuring that they were applying the most secure technologies to protect them. The ACLU offered strategies for communicating, researching and launching initiatives that fill any gaps in their information security frameworks. Collectively, participants also strategized ways to work together to address data security issues in New Hampshire.

Until legislators take this seriously enough to create policy around the storage and use of sensitive information, your data is not safe. But individuals can take steps on their own to help ensure their privacy remains protected and their data safely stored.

Demand encryption

The most important step toward information security is encryption – coding data in such a way that renders it useless to anyone without the digital key to decode it. By default, all email and search data that flows through Google and Apple products and services are encrypted; so your iPhone text messages and Gmail group emails are safe. Only when the information is secure may we address the importance of data privacy and who should and should not be able to obtain your text and chat logs.

Do not submit information through unsecure sites

Secure browsing means that the data you submit and view through a website is encrypted, noted by the “s” in “https” at the beginning of the web address. Encryption doesn’t make the data impossible to steal, but it makes it infinitely more difficult to understand if it gets into the wrong hands.

It may seem like having an encrypted website would be an obvious and basic measure for companies to take, but sadly, that is not always the case. Wikipedia, the Internet’s most popular database of user-submitted and user-verified information, only adopted encrypted protocol – or went https – on June 12 of this year.

Understand companies’ data policies

Make sure that the companies you trust with your data are protecting it. While it’s usually easy to locate a company’s privacy policy, their data security policy may be tougher to find. If you can’t find it, ask for it. Push any company you do business with to take data security seriously.

While the true issue at hand is the access and use of private citizens’ data (whether it be for marketing research or national security matters), the evolution of technology and how our society shares information requires us to think more broadly about how that data is safeguarded in the first place. Because if anyone with a little training and a lot of malicious intent can pluck it from the servers in which it is stored, what value does privacy have in the first place?

Our goal at the ACLU-NH is to start this conversation with individuals, businesses and local government, and expand the discussion about online privacy to include data security.

To learn more or to find resources to address data security for your company, visit aclu-nh.org or contact me directly at 603-224-5591 or devon@aclu-nh.org.

Devon Chaffee is executive director of the ACLU of New Hampshire.

Edit ModuleShow Tags
Edit ModuleShow Tags