Whoa! Browsing habits? Even if, in some alternative universe, companies like Google and Amazon were somehow convinced to exclude from analysis any activity coming from a European IP address, this deal is about data transfers, with the content ultimately residing on U.S. servers. If someone with access to those servers and that data goes surfing, how can we possibly offer the promise that it won’t be accessed or analyzed by anybody?
This has echoes of companies that promise, for example, that payment data won’t go anywhere — until someone remembers that marketing grabbed a full copy and that Sydney dumped a copy onto a thumb drive and worked on it at home over the weekend. And he used the desktop he shared with his teen-aged son, who likes video games that tend to drop viruses.
Let’s get back to those U.S. government intelligence agencies. They have been told to look for evidence of terrorist activity wherever they can. We simply can’t label any area of data “unsearchable,” because that’s where bad guys will go.
To be more precise, we can certainly say that we won’t look there, but what self-respecting NSA analyst wouldn’t? Both sides know this, but they play the game. In effect, the message is “I am glad you agree to not look at these files. And when you do look at them, make sure you don’t let us catch you.”
Steve Hunt, an industry analyst with Hunt Business Intelligence, initially reacted to the news with sarcasm. “That announcement makes me smile. I am actually thrilled about it,” he said. “I finally have a way to protect corporate secrets from government surveillance.” His tongue-in-cheek plan was to throw all sensitive data into a server, label the folder “European personal information” and “they’ll have to bypass.”
Hunt, turning serious, said that such an agreement “would require policy and oversight that extends far beyond traditional government reach” and added that it would be “so costly and difficult that it would be practically impossible. It’s a promise without any possible weight behind it.”
One of the many problems with such a move is audit efforts, confirming compliance. “Even a self-assessment would be prohibitively expensive and 100% gameable,” Hunt said. “The apparatus required to confirm a deeper audit would be so vast and expensive” as to be unworkable.
CIOs must not make these same mistakes. As Americans make greater privacy demands, don’t promise what you can’t deliver. If that’s what you want to do, go join marketing.
Sign up for CIO Asia eNewsletters.