How abortion clinics can protect patient data from potential use against them

With the overthrow of Roe v. Wade, the right to online privacy could very well be the next domino to fall. Like abortion, online privacy is not guaranteed by the US Constitution. This means that after a decade of radical laws adopted by governments around the world to legitimize mass surveillance programs, and now with the recent opinion of the Supreme Court, it is up to the private sector to stay ahead of the game and eliminate the ability of programs to collect data. big data and data leaks to expose vulnerable information.

Simply put, if something is connected to the internet, it is spyable.

Security agencies like the CIA, NSA, Interpol, Chinese intelligence, and the FSB all want service providers to provide them with backdoors so they can come forward and gather intelligence for surveillance programs. mass that are currently taking place in all developed countries. in the world. And where there are no backdoors, spy agencies are working to develop exploits.

However, there is a new way forward, which requires management platforms to re-evaluate their relationship with their cloud service providers and their users. This new method can be described as “Zero-Knowledge”.

An impossible mole hunt

With Misleading anti-abortion “pregnancy clinics” collecting personal data from unsuspecting patients that could later be used as weapons against them, representatives across the aisle are asking for privacy guarantees for users of reproductive health apps in bills like the new “My body my data” law. But it’s hard to enforce far-reaching laws, and there are always clever ways around the law for management platforms to get information about their users if that’s their end goal, which means governments can also access it.

Indeed, all of today’s online services that require the creation of a user profile operate under security pretenses that are best suited to the era of dial-up security, when a majority of non-financial services companies had still armies of analog processes to safeguard their transactions. in cyberspace.

Platforms like Google, Amazon and Netflix promise security, but for most of the past 15 years at least (in the interim period between remote access and now – let’s call it Web 2.0) we’ve seen usernames, passwords, and everything else associated with a person scattered across a litany of penetrable servers spread across the globe. All you needed was the root certificate to access this information – and government agencies are allowed, by law, to request this information. Internal moles and hackers can get this key if they are skilled enough to do so.

This new era may see insiders leaking information from patients and doctors involved in abortion procedures. Within legitimate organizations like Planned Parenthood (or any other abortion clinic), there is a very real risk that inside moles with a political agenda will consider leaking the names of doctors willing to perform medical procedures. Worse still, a leak doesn’t even have to come from a clinic employee. They could be safely nestled within the vast organizational confines of a huge cloud service provider like Amazon, Google and Microsoft, who control about 65 percent from the cloud – an impossible mole hunt.

With all of this in mind, legislation like the new law in texas that allows anyone to take legal action against doctors they suspect of performing abortions risks jeopardizing data privacy if it could advance such legal cases. Other Supreme Court decisions that violate privacy, such as Kipley v. Illinois, which prohibited the United States from firing people because of their political affiliation, may be subject to further review. After all, who’s to say that a data leak that ties a worker or group of workers to a political belief or organization isn’t the covert reason they were summoned to the main office and handed a slip pink ? It’s your boss’s word against yours in the courtroom, and a heavy burden of proof for the labor attorney handling this kind of wrongful dismissal lawsuit.

Your data: lock it up, throw away the key

If you have an office in a country with an authoritarian government, or an office in a democratic country, or you just tend to use the internet occasionally, Zero-Knowledge is the safest route. But what is Zero Knowledge? Here are some common examples of physical security:

In an old style hotel, all the keys are behind the reception, associated with their room numbers. If the police want to enter a room, they can serve a warrant on the manager and just get the key. The way platforms like Amazon, Facebook, and Google handle their digital security is a lot like how an old hotel handles physical security. Although the guest may have the key to a private home, the hotel knows who and where he is and has the ability to access him and his property at any time. A request from the police cannot remain a dead letter.

A slightly higher level of security is seen in the era of Airbnb, where property management companies or private landlords often broadcast a safe code giving access to a unique key to the property that the temporary resident has paid for. to rent via WhatsApp message. This means there is an additional layer of security as law enforcement must contact the owner through AirBnB in order to serve the access warrant. Second, Airbnb doesn’t have the PO Box code (usually).

These two additional security measures grant an extra layer of privacy, as the renter is protected from the landlord or property manager via the contract they both agreed to as part of Airbnb’s all-inclusive rental agreement. Everyone is a little safer and law enforcement must work to gain access, not just ask for it on the pretext.

But a real example of Zero-Knowledge would be how Yale sells its physical security services. The AirBnB property owner can purchase a safe from Yale used to store their property key and then change the safe code. Since the code is programmable by the owner of the lock, the only way for law enforcement to enter a Yale safe is to physically hack it with some sort of metal-cutting tool.

In the digital sphere, Zero-Knowledge is a process by which the host sells a digitized version of a Yale lock to the management platform. The user programs the password, and this password is transmitted directly to the server. Server information is then only retrievable via the API, and those without initial access are unable to retrieve anything substantial.

Sure, law enforcement can physically break into any server, but they need an ironclad warrant or risk a lengthy public legal proceeding against a technological adversary with likely vast resources and capabilities. privacy lawyers.

No knowledge, no more control

Platforms are not malicious by design. Much like the hotelier handing the room key to the police captain in the first example, online businesses must comply with the government when asked — even if the requested information concerns foreign nationals operating on servers in different countries (hello, DNI Haines). As long as they have the technical ability to comply, they must comply. If they cannot comply, then law enforcement will seek the assistance of the service providers by serving them a warrant requesting the root certificate. And until now, that was the end. The ghosts inevitably won.

Zero-Knowledge offers an alternative. Service providers that allow management platforms to deeply encrypt their users’ classified information are no longer able to access the root certificate once the initial password is created by the user. If a service provider has “no knowledge” of the encryption key that allows access to its users’ raw and proprietary data, law enforcement should go directly to the user with their warrant – or enter the physical servers where user data is stored, if the servers are located in the same country.

The main downside to Zero-Knowledge is the fact that if you forget your password, you’re done – there’s no option to reset the code once you forget it.

Privacy is a right that we must all fight for. The incredible amount of knowledge we are able to access online should not be weighed against a price expressed in likes, clicks, shares, views, weight, age, social security number, sexual preference, income, alignment specific policy and location. at 5m. In short: the information age should look like the ultimate democracy, not the panopticon.

J.P. Smets is the founder and CEO of Rapid.Spacea cloud services company.

Donald E. Patel