Can defending privacy be a violation of privacy?
At Tresorit, we work to ensure businesses and individuals stay in control of their data. Our users trust us with their data because of the privacy and security inherent to end-to-end encryption. However, they have legitimate reasons or legal obligations to know what happens to their data when shared with others in some cases. But how can such data be collected without infringing on the receiving users’ privacy rights?
At the recent Bitkom Privacy Conference, I spoke about the questions we asked ourselves about balancing control over files and the privacy of users accessing them. Showcasing the solutions deployed by Tresorit, I emphasized the need to balance monitoring tools and user rights.
Privacy: A human right
First things first, at Tresorit, we consider privacy a human right. We believe in making privacy simple and accessible. That’s why we provide enterprise-level security coupled with a consumer-grade user experience. Zero-knowledge end-to-end encryption is the bedrock of our technology and why businesses and individuals around the world trust us.
This trust led our users to apply Tresorit in various roles, including external file sharing. However, when sharing company files outside of the organization, teams have a legitimate interest – and in some cases legal obligation – to know what happens with their data on the receiving end. In opposition, recipient users have their right to privacy.
A conflict of interest
It seems these rights and interests or obligations are in conflict. However, truthfully, a company’s control over its data can also be seen as part of its right to privacy. In highly competitive industries, corporate espionage is a huge risk. While the GDPR sets out requirements for how companies handling the personal data of EU citizens must deal with data breaches. And companies need data to mitigate or analyze breaches.
For example, an employee sends the wrong share link to a third party. The accidentally shared file contains personal information, for example, the shipping addresses of customers. While revoking the link will block future access, you will need answers to gauge the extent of the leak.
Was the link opened? Was the shared file downloaded? How many pages of it were read? Each answer will help outline the next steps you have to take to mitigate the effects of and fall out from the error. But without information, companies are forced to assume the worst: personal data is now in the wild.
Alarm bells ringing
However, in a digital setting, the only way to collect this data is by monitoring user activity. To be honest, the term ”monitoring user activity” is one way of getting the alarm bells ringing at a privacy-centric company like Tresorit. How can we deploy monitoring tools without compromising our user’s fundamental right to privacy? After careful thinking, we decided on a solution based on three pillars:
- firm legal foundations
- automation to ensure user privacy
- and tools for users to exercise their rights.
1) Legal framework
Since the GDPR entered into force, the legal basis of data collection has become a significant question. With similar legislation rolling out around the world, this requirement is no longer limited to Europe. In general, data collection must be based on a handful of causes, for example:
- clear, explicit user consent
- legal or contractual obligations
- legitimate business interest
As a privacy-centric company, we believe that data should only be collected when absolutely necessary. Furthermore, data handlers are accountable for what happens with that data. To this end, the monitoring solutions we eventually built into Tresorit are only available to enterprise-level users. They are enabled manually upon request, following a review of the customers’ obligations and business interests connected to data collection.
2) Automating user privacy
To provide additional safeguards to users that open received files, we created automated systems that our customers cannot change. These solutions ensure that users are always informed when they open a monitored file. Tresorit also minimizes all data collection, handling data retention and deletion automatically.
3) Tools for users
Beyond these automations, we require users to provide explicit consent to data collection before opening files with advanced tracking features enabled. Furthermore, using the report abuse function (also always visible), they can inform Tresorit if a customer abuses the functionality. What constitutes abuse in our eyes? For example, a company uses the metrics collected to send unsolicited marketing emails to those with whom it has previously shared a file.
The solution: A balancing act
This was the thought process that led to Tresorit’s advanced link and document tracking functionality. When the feature set is enabled, manually on request as detailed above, users have access to data on:
- link opens
- “Save to Tresor” actions
- how long a user viewed a document online and which pages they checked
It’s important to note that as the provider of an end-to-end encrypted service, Tresorit will never have access to this tracking data or the files themselves.
We believe that by limiting access to these advanced tracking tools, informing users clearly, and rolling out automated protections, we have created a solution that allows enterprises to meet their legal obligations with the smallest possible impact on user privacy. If you want to learn more about our thinking or the solution itself, watch my presentation in full here.