Tresorit at RightsCon: The Business of Privacy
Is it possible to profit from protecting personal data? To build business models based on respecting and enhancing customers’ privacy? What is #fakesecurity? How can people and companies protect themselves online? – these are the questions I tackled with my co-panellists at a landmark session during this year’s RightsCon, the world’s leading summit on human rights in the digital age. Let me recap some of the most intriguing parts of the discussion here.
The value of personal data
According to a legend, the Lenape Native Americans sold the Island of Manhattan to Dutch colonial governor, Peter Minuit, for glass beads worth $24. The Lenape were clearly taken advantage of at the time by European settlers who did not compensate them fairly for this transaction. People are now selling out their private data to tech giants for “glass beads” in a similar way – without being fairly compensated for the value of the data they pass on to these companies.
Users are tricked into believing that these services are for free and then presented with privacy notices which they are pushed to accept, otherwise, they are unable to benefit from the service. The reality is that nothing is free, neither offline nor online. But benefiting from online services shouldn’t come at a price of having to provide all of our personal data; users should be given the choice to subscribe for a fee. Some might wonder (and rightly so); would anyone actually be willing to do that?
People are becoming increasingly sensitive to the security and privacy of their information online which is due to the proliferation of data breaches and data misuses by big tech. With more awareness, come more conscious choices. But there was an agreement among my fellow panellists that there is room for more education and a long way still ahead of us. We need to equip people with the right technical tools and help them learn about privacy-minded services to put that education into practice.
Encryption as an enabler of online privacy
As U.N. Special Rapporteur on the promotion and protection of the right to freedom of opinion and expression put it, encryption provides individuals with a means to protect their privacy, empowering them to browse, read, develop and share opinions and information without interference, and enable them to exercise their rights to freedom of expression and opinion. There are many services that build their business model on encryption and thrive on providing people with privacy from the ground up.
Even large companies are realizing the potential of encryption which seems to be becoming a buzz word these days. Facebook, which has an uphill battle ahead` to regain its users’ trust, announced its privacy-focused vision a couple of weeks ago which builds on making Messenger end-to-end encrypted by default. And there’s plenty of other businesses that claim to use encryption to protect client data.
On the one hand, this is a great development as the widespread use of encryption can help people and businesses to better protect their data online. On the other hand, it can also open the door for creating a false sense of safety – fake security, if you will.
Cryptography is complicated. There are different types of encryptions and they do not guarantee the same level of security. The problem is that the average user might not be able to differentiate between these and could have the impression that whenever a service uses encryption, it’s automatically secure. This, however, is not the case.
There is a big difference between companies which use server-side encryption and those which encrypt data on the client’s side. When it comes to the former, the provider encrypts the data before storing it on its servers. However, the service provider also holds the encryption key to that data. This means that their system administrators and anyone who manages to hack their servers or simply get hold of an administrator’s password can decrypt the content. In the case of the latter, encryption and decryption of digital information is done on the client’s device and only accessible to them and those they authorize. End-to-end encryption is the only way to provide users with true control over their data.
Joining the panel with Liz Steininger, CEO of Least Authority, a company supporting people’s right to privacy through security consulting, Christel Dahlskjaer, CCO of Private Internet Access, a leading VPN service provider, and Gustaf Björksten from Access Now, an international nonprofit which defends users digital rights, I was lucky to have had the opportunity to explore new, exciting, privacy-focused business models and draw attention to the dangers of a future where data-hungry businesses prevail.
Being a strong advocate of privacy as a human right, I am committed to promoting educational opportunities which enable people to have a better understanding of online security and to find the right tools to protect their privacy.