Protecting Sensitive Data in the Wake of the NSA

September 9, 2013

Last week we learned the US and UK intelligence agencies have cracked most major encryption codes protecting emails, bank statements and medical records. For NGOs working with particularly at-risk populations-- families, children, prisoners, refugees or political activists, just to name a few-- this latest revelation could pose a serious threat to the security of this data. 

At this point, the best way to combat these breaches of privacy is likely more political than technological. Mozilla and other leaders in the open source community have called upon Congress to halt the NSA's activities and create a public oversight process. DataKind has endorsed this petition. You can sign on here. 

While we at DataKind are deeply concerned to learn of this violation of the very tenets of digital security and will be watching diligently for updates to the situation, we want to remind you that there is still a low probability that the NSA is actively seeking your data or will use it to harm you. Nevertheless, we want to keep our community safe and informed. 

For the non-profits we support, we wanted to offer some greater insight into how our online privacy has been compromised, and what steps are still available to protect sensitive information.

First, the NY Times has a pretty good explanation of exactly how the NSA inserted back doors into many major tech platforms and services. These backdoors can be exploited by others too. The NSA focused on breaking SSL and VPN encryptions, which are often used to protect our emails, online purchases, and 4G network usage. 

Bruce Schneier at the Guardian offers tips on how you can still protect your data against spies. One tip of particular use to non-profits: use an air gap. Encrypt your data on a computer that has never touched an internet connection and move it to a connected computer using a USB. As Schneier says, "This might not be bulletproof, but it's pretty good."

Reporter Glenn Greenwald gave an excellent interview about why the end of internet privacy affects all of us, and not just people with 'something to hide.'

Right now, the conversation is centered about civil liberties, freedom of the press, and the functioning of our democracy-- all very worth talking about. But we don't want to forget that right now non-profits who need to protect the personal data of their clients-- shelters, medical providers, legal advocacy networks, human rights advocates, etc.-- should take a serious look at their security practices and take action to prevent their data from being compromised.

In the coming weeks we'll be talking about ways that non-profits can continue to protect their clients from breaches of online privacy. Let us know if you work for a non-profit dealing with these issues, or if you have advice to offer for NGOs facing this unprecedented challenge.


We'll be talking about data and civil liberties in another context later this month. Come to our Sept 24 Meetup to hear NYCLU data analyst Sara LaPlante, and Morris Justice Project founder Brett Stoudt talk about their work around stop and frisk.