Several months before the RSA conference this year, Reuters published an article alleging that the NSA had arranged a secret $10 million contract with RSA. Documents leaked by Edward Snowden validated the claim, showing that the NSA had created and pushed through a flawed formula around data encryption that essentially created a built-in aperture for accessing private personal data.
RSA incorporated this compromised code into its BSAFE product, a widely used security application used to protect personal computers and other products. While RSA vehemently denies that there was ever any “secret contract” with the NSA, it does not dispute that the code is flawed and advised its customers to stop using it.
How does this play out in the real world? It means that if your encryption solution is based on RSA “keys”- public and private – your customer’s privacy is at risk. While there’s significant muddiness around HOW this happened, what’s certain is that breach HAS happened.
Companies marketing solutions leveraging this dual key-based approach are vulnerable to infiltration. And, even more disturbing, companies that have access to content created by customers can be compelled via court order to turn over sensitive information.
How can you protect your customer’s privacy both from secret surveillance and court ordered exposure? You don’t ever possess the information in the first place, because you can’t turn over what you don’t have.
To fully protect your customers, an intact encryption code prohibits proactive data mining. And, with respect to government surveillance and customer accounts, you need to select a solution that fully shields your organization from risk around being required by law to turn over private customer information under any circumstances.
If your customers don’t trust that the information that they exchange with you is safe and confidential, they’re not going to share it or purchase your goods or services. It’s plain and simple – if you can’t protect their privacy, they won’t be willing to do business with you.
This reservation is completely understandable. Why would anybody do business with an entity that can’t certifiably protect their privacy?
There are two key takeaways here. The first is the concept that when your customers share private information with you, it’s your obligation to keep that data private. The second consideration centers on your confidence around the efficacy of your solution. Is it a dual key based system that’s subject to breach? If so, it’s time to rethink both your vulnerability and your customers’ exposure to covert surveillance and malicious attack.
The bottom line is that you’re either committed to the security and privacy of your customers or you aren’t. There’s no middle ground. If you play Russian Roulette with your customers’ privacy, you will eventually get burned. Take control, be proactive, and – above all else – think about how it would be if a breach happened to you.