Told you: U.S. companies simply don’t have agency to promise any kind of safeguards for collected data

Posted on Oct 10, 2016 by Rick Falkvinge

In the Yahoo fallout, Europe is now accusing the United States for disallowing its corporations to give any kind of guarantees for handling sensitive private data. This means that US companies won’t be allowed to transmit European private data out of Europe, with far-reaching implications: the so called US-EU Privacy Shield, which was supposed to replace a different but similar deal also destroyed by the US NSA policies, is being called into question.

One particularly interesting fallout of the Yahoo NSA spying, where it appears Yahoo was forced to build a spy machine against its own users and gagged by the government as to that spy machine’s existence, is the realization that no promise from any US company is worth anything with regards to the security of private data that they have collected about you. It cannot be worth anything; it is prevented from being worth anything. Not because of bad morals of the company you’re doing business with, but because of the shadow of the government hanging over them and the threat of force if they the company doesn’t comply and sell you out.

This is now being brought up as an argument that US corporations can’t be allowed to transfer privacy-sensitive data out of European jurisdiction, where such data no longer enjoys European safeguards. US corporations have been allowed to store such data on US servers, under the precondition that they promise to do so by European standards. With this spying coming to light, it is argued that no such promises are worth anything, and therefore, the deal is off at the European level.

“Any form of mass surveillance infringing on the fundamental privacy rights of EU citizens would be viewed as a matter of considerable concern,” the regulator in Dublin, where Yahoo’s European headquarters is based, said in a statement.

It’s particularly noteworthy that the “Privacy Shield” was a hastily concocted mess supposed to replace a previous deal, called the “US-EU Safe Harbor” for private European data with US corporations, and which the European Court of Justice struck down just because of NSA spying on the data as well (points 28 through 31 in the ruling). Writing a new deal without addressing the underlying problem of the old one seems a very… political thing to do.

Europe has a completely different attitude to privacy than the United States. Whereas the US establishment mostly regards privacy as something you sign away and be done with it for some corporate benefit, Europe takes it much more seriously. Subpoenas exist, but are public record. This is the reverse situation from how the two powers view freedom of speech, by the way, which the United States takes very seriously, and Europe pays kind-of lip service to.

Since US companies can’t promise any safeguards for already-collected data, if you want to do business with a US company and retain your privacy, you need to stick to those which don’t ask for your blind trust. This insight appears to now trickle up to the European level. (Disclaimer: Private Internet Access is one such company, one that doesn’t need your trust. You can purchase PIA services with bitcoin and at no point in the business relationship do we need to know your identity, and we do not store any logs which can be used against you at a later date. This point can therefore be interpreted as being written for marketing, but I want to underscore how this point is much, much more important than simple, even if valid, marketing.)

Ten months ago, I wrote it would become clear that US companies simply don’t have the agency to promise any safeguards for private data that they collect. I highlighted how the US government need to be part of any threat model for a corporation operating in the United States – and how this is true for any government that issues gag orders combined with spying (the complete list so far, to the best of my knowledge, lists the United States, North Korea, and certain theocratic dictatorships).

In the next post, I’m showing how Private Internet Access deals with this by simply not logging anything at all, and also have the court records to prove it. Also, PIA protects the connection between your IP address and your subscriber identity; you should also always encrypt on top of this to prevent eavesdropping of the cleartext traffic, a measure that would have defeated the Yahoo governmental surveillance in combination with a VPN or Tor. Encrypt everything and everywhere.

Your privacy remains your own responsibility.

VPN Service