Protect the people in your data

Wordcamp London 2017

image of wordcamp london 2017 wappuI’ve just returned from Wordcamp London 2017 and just like other Wordcamps, it’s been motivating, inspiring, educational and downright good fun.

I was motivated by a number of talks.  Like many people I have a tendency to be really motivated at the time but, if I don’t act on it straight away, the motivation wanes.  So, something that makes me go straight out and do something is really good.

In this case it was a talk by my friend Heather Burns.

It’s not personal

Part of Heather’s talk was about how privacy is, and may be, impacted under the new presidential regime in the USA and Brexit in the UK.

Some of the legislation being considered potentially conflicts with the UK Data Protection Act and/or expected GDPR requirements.

Working within the IT industry we all tend to be conscious of and look after our own privacy. As systems builders and providers, we should not only take care of our own privacy, but the privacy of the people referenced in the data we hold.

“Protect the people in your data.” – Heather Burns – Wordcamp London 2017

You need to get more involved than signing an on-line petition.

Heather explained that, if we are to influence political decisions that impact the privacy of our users, we need to do more than the signing of on-line petitions.  Many such petitions are nothing more than vehicles for capturing mailing list data.

Activities can range from something as simple as joining the Open Rights Group right the way through to deliberately carrying out ethical hacking to remove or mask data that violates our users’ privacy.

Scary stuff

The thought of deleting or modifying client data is pretty scary. If I’m being honest, I’m not sure I have the bottle for it.  I would like to think I would follow the example of René Carmille and do the right thing. However, given the potential personal consequences, I can’t be sure I would.

Image of Rene Carmille… [René Carmille] sabotaged the Nazi census of France, saving untold numbers of Jewish people from death camps.

I own up to being guilty of joining on-line petitions.  I am also a member of the Open Rights Group though and I attend local meetings.  Heather inspired me to want to do more.

TOR Principals

The ToR project logoAs part of her talk, Heather listed the TOR 10 principals of keeping data secure under a hostile regime. We might see these principals as a gold standard of privacy.

 

  1. Do not rely on the law to protect systems or users
  2. Prepare policy commentary for quick response to crisis
  3. Only keep the user data you currently need.
  4. Give users full control over their data
  5. Allow pseudonymity and anonymity
  6. Encrypt data in transit and at rest
  7. Invest in cryptographic R&D to replace non-cryptographic systems
  8. Eliminate single points of security failure, even against coercion
  9. Favor open source and enable user freedom
  10. Practice transparency: share best practices, stand for ethics, and report abuse.

I thought about what I could take from these principals in order to do more to protect my users’ privacy.

Follow the data

On my own machines, data is encrypted. This includes the disks I use for off-site backup. Heather and the TOR principals got me thinking about how much care I take to make sure my data, that is stored by third parties, remains private. The main third party in my case is my web site hosting provider.

The harsh truth is that until now my criteria for choosing a hosting company has been.

  • Cost
  • Support
  • Availability

All of these are really important, and this is probably the list you would get from a client if you ask. Following the talk from Heather I now add another criteria….

  • Privacy

Time to take action

copyright 34SP.com

Just before Wordcamp I had decided to build a new website. My intention was to use the shared hosting I already had in place for the website.  I decided instead that I would take the opportunity to canvas the hosting providers with booths at Wordcamp and see if they could provide a secure environment for my data.  If they could, I would buy a new hosting package and give them a proper trial using my new site as a guinea pig.

Setting Criteria

I came up with the following set of criteria/questions that I would ask the hosting companies

  • Where is your data centre located?
    • I wanted a data centre in the UK or in an EU state where EU privacy laws would apply.
  • Who owns the infrastructure in your data centre
    • Is it owned by the hosting company or is it owned by a third party, thereby preventing the hosting company having full control of who can access their data.
  • What is your policy and process if a government agency asks for access to data that they host?
  • Do you provide free SSL certificates and so you support “Let’s Encrypt” certification?
  • Do you support SFTP and SSH access?

What did I learn?

It turned out to be an interesting exercise.

Where is your datacentre?

Not surprisingly the bigger hosting companies had centres all over the world.  A number could not guarantee where my data could end up.  This was a definite issue as I could not be sure what privacy or access laws would be applied to my data.

Who owns the infrastructure in your data centre

A number of hosts are using cloud services to provide the infrastructure for their hosting.  The most common being Google or Amazon.  Even if the data centre is located in the UK, the physical infrastructure may well be owned by a non-UK company and be subject to demands from non-UK or non-EU agencies.

What is your policy and process if a government agency asks for access to data that they host?

Actually the question I ended up really asking was, “What would you do if the NSA or GCHQ demanded access to the data you host”.  I got a range of answers to this one.

  1. I don’t know (scary)
  2. We would be obliged to provide access if it was a legal request (this could be because the requesting agency belongs to a government of a country where the data centre is located or the host company is registered.
  3. We wouldn’t provide access but we couldn’t prevent the hosting company providing access. Both Amazon and Google may be legally obliged to comply with legal governmental requests for data.

Do you provide free SSL certificates and so you support “Let’s Encrypt” certification? Do you support SFTP and SSH access?

To be honest I only got to these questions in the case of one host.

The outcome

Hosts 34sp were able to fulfil all my criteria.

  • Their data centre is in the UK
  • They reside in a shared data centre facility but own all their own hardware
  • They would “if presented with a proper request, in line with laws such as the regulation of investigatory powers act, we would have no choice but to provide such access.”  However, as the data is kept within the UK, only UK and EU law would apply.
  • They provide free SSL certificates via “Let’s Encrypt” and they provide a very easy “one click” process for implementing the certificate.  They even take care of the certificate renewals automatically for you.
  • They provide SFTP and SSH facilities.

As a result, I jumped straight on-line and purchased a WordPress Hosting package from them.  By the time I left Wordcamp the next day, my website was installed and I was busy configuring it.

It’s not hard to do more

OK, so it’s not like I’m taking to the streets and protesting against the draconian bills, currently going through parliament, that will impact our privacy but, I’m now doing something more than I was to protect the privacy of my users.

What’s more it didn’t take much effort.  I would have been chatting to the companies with booths at Wordcamp anyway.  All I had to do was prep a few questions and have a good reason for them to answer them (I had business to put their way).

There is a theory doing the rounds that the next big differentiator in IT will be privacy.  Whether it be services, hardware or software, it could be that the vendor’s approach to privacy will make or break them.

Thanks to 34sp for being ahead of the game and making it so easy for me to take steps to move toward better protection for my users’ data.

If you have other questions we can be asking of our vendors to improve data privacy, leave you suggestions in the comments.

 

Leave a Reply

Your email address will not be published. Required fields are marked *