The United States Now Needs To Be Part of Any Privacy Threat Model

Posted on Dec 23, 2015 by Rick Falkvinge

When I was working in the European Parliament, there was one quote that stuck with me: “you’ll never see somebody’s own government listed among the threats to a customer’s privacy in their marketing material”. For all the companies out there wanting to “help” you with your own data – mail spam filters, big data processors, cloud services, and so on – there’s always a cleptocratic government lurking in the background and which is an utter and unacceptable threat to the security of that data.

With the passage of the CISA in the United States last week, the bill that has been described as a “Patriot Act on Steroids” and which was dysfunctionally attached as a rider to a budget bill to prevent discussion or even attention, the United States government is now an adversary to worldwide privacy. (It always was, or at least has been since the 1970s, but now it apparently has discovered it’s getting away with it so well, it doesn’t care to even hide it anymore.) While the US is by no means alone in this data cleptocracy – the British GCHQ, the German BND and the Swedish FRA all come to mind – it’s geopolitically dominant at this time, whether one approves of that observation or not.

“There’s no such thing as the cloud, it’s just somebody else’s computer.”

This fall, the European Court of Justice – the equivalent of an European Union Supreme Court – essentially ruled United States soil not trustworthy for the data of European citizens, drawing on the lack of legal privacy rights in the United States. The effect of this is that U.S.-based companies may not transmit personal data about European citizens out of the European area, where legal safeguards exist for their use.

The ramifications of this cannot be understated. While it may be argued that the court is not quite in tune with how modern projects operate (mostly not caring about borders in the first place), the court asserted that the previous Safe Harbor agreement – an illusion that U.S. companies would safeguard the privacy of European citizens when trusted to do so – was declared null and void. Not because the U.S. companies as such couldn’t be trusted, but precisely because the U.S. government couldn’t.

After all, when you have a mechanism that not just allows a government to go in and take whatever it wants from anybody operating on its soil, but also prohibits the people witness to such a violation from ever speaking about it (so-called National Security Letters), you cannot trust anybody operating on that soil with any kind of confidential data.

Especially since the passage of CISA, U.S. companies simply don’t have agency to promise any kind of privacy safeguards any longer. The existence of a privacy policy is a joke for a U.S. company that has it, unless that policy speaks of zero-knowledge operations (not having or logging the data in the first place). You can only trust them with previously-encrypted data, where they don’t hold any kind of key – or, for that matter, as an additional encryption layer: as stated above, the US is not the only cleptocratic government.

This is also observable in the intellectually dysfunctional quotes from several presidential candidates on privacy. While running for the highest executive position in the United States, they appear not just unaware, but downright oblivious to some of the most important rights of citizens. It’s not just that the current position is bad – the trend is worsening. They don’t even understand the concept of general-purpose computing, as Cory Doctorow points out: anybody with a general-purpose computer is capable of strong encryption. End of story. Trying to turn this into a “bad ability” is not understanding the concept of the computer in the first place. Is this the kind of person you want running a country?

As a result, frankly, the offline-born generation of policymakers and decisionmakers are enemies of privacy, and cannot be trusted. On second thought, privacy shouldn’t depend on having to trust somebody in the first place. That’s the whole point of it.

Starting in 2016, any data threat model needs to include the question “does this data, at any time or in any shape, touch US or UK soil unencrypted?”. If the response is yes, there is no privacy and the architecture needs to be remodeled.

Privacy remains your own responsibility.

VPN Service