“There is a distinct difference between secrecy and privacy.” – Alanis Morissette, Interview
I heard that quote a few years ago, it is one that has always stuck with me. Personally, I am a big proponent of respecting privacy, but secrecy is an entirely different thing. Where the line is drawn depends on each individual unfortunately.
Previously, when doing security consulting for businesses, one of the common themes was the employers ability to access email, files, voice mail and even phone conversations of an employee if they felt it was necessary. Taking email for example, most employers feel they have a right to read any email that enters or leaves their company network, regardless of whether it is private in nature or not. I have been given arguments that the employer owns the equipment and the network and are ultimately responsible and must have the ability to do these types of activities if they feel it necessary. I had a discussion with an individual that was a senior executive that felt very strongly in favour of this opinion. I then gave him a scenario where he was collaborating with another company in a different province and the conversations were around some trade secrets or business that was sensitive in nature. I asked him if it would it be okay if his upstream ISP or one of the ISPs along the path captured and read his email correspondence with this company. His response was an absolute ‘no’ it would not be okay. I then stated that it is the ISPs network, they are ultimately responsible for the security and integrity of it. Two things happened. First he didn’t like the conversation anymore, that became very obvious. Second, he made some statement about it being ‘different’ and changed the topic. This made me realize that everyone wants secrecy for themselves, but do not want anyone to have secrets kept from them. Yes, a very obvious statement, but I think it also comes down to that simple concept which drives all these debates, discussions, and laws or lack of laws.
So why am I bringing this up? Michael Hyatt has a blog that I read regularly. I don’t know him personally, but he seems like a good guy and has some insightful entries. He recently commented on the idea of using Gmail for his business email. I completely understand why he is considering it, and would argue that if you are a small or medium size business it could make complete sense financially and logistically. What about the privacy implications? What if Google has a security breech and data is lost or stolen? What if Google is late to apply a security patch? What if there is a security hole that Google isn’t aware of but a criminal is? If there is a legal issue with a company in Germany that is using a cloud computing application who’s laws apply for data access? Suppose you accept the terms of service and policies around Gmail and choose to use their service for email. A year later, you change your mind and wish to have all your email transferred to a different server or service. Can you do this? Will all your data be erased from Gmail servers and their backup systems so they could never retrieve it again? Do you care?
I think technology, innovation, and the internet are awesome. But I also think it is very important that individuals and businesses realize and think seriously about the privacy implications. Some suggest this is pointless. With GoogleDocs, Gmail, online CRM systems, and the multitude of other cloud computing applications available and in use, we have already made this decision even if it is somewhat unconciously as a society. I feel this statement may be right, and that makes me sad.
