Security in a Post-PRISM World

NEW ORLEANS—Over the last few months, a whole lot of people have been very worried about the privacy of their information. The revelation that the National Security Agency can potentially decrypt traffic from the Web has made a lot of people question their online providers and what can be done to protect privacy.

In a session at the LinuxCon conference here this week, I saw one really good answer proposed by Frank Karlitschek, in a session aptly titled, “Living in a Cloudy Post-PRISM World.”

I’ve had the good fortune to meet with Karlitschek in the past, and I know him as the founder of the popular ownCloud project. The ownCloud project is somewhat analogous to what Dropbox does, except that it’s open source (and has more features).

In his LinuxCon session, Karlitschek noted that some people might just shrug off the NSA risks, but he suggests that is not a good idea.

“I’m from Germany, and we know that it’s not a good idea to have an omnipotent government that can spy on you,” Karlitschek said. “It’s just not a good idea in a free society, so people should care if someone is violating their privacy—it’s very important.”

He added that developers built the Internet, and developers can fix it too.

User Data Manifesto

Going a step further, Karlitschek has proposed what he is calling the “User Data Manifesto,” which outlines the characteristics that should apply to user data.

“If I take a photo, it should be my photo,” Karlitschek said.

The full User Data Manifesto includes eight key points:

1. Own the data

The data that someone directly or indirectly creates belongs to the person who created it.

2. Know where the data is stored

Everybody should be able to know where their personal data is physically stored, for how long, on which server, in what country and what laws apply.

3. Choose the storage location

Everybody should always be able to migrate their personal data to a different provider, server or their own machine at any time without being locked in to a specific vendor.

4. Control access

Everybody should be able to know, choose and control who has access to their own data to see or modify it.

5. Choose the conditions
If someone chooses to share their own data, then the owner of the data selects the sharing license and conditions.

6. Invulnerability of data
Everybody should be able to protect their own data against surveillance and to federate their own data for backups to prevent data loss or for any other reason.

7. Use it optimally
Everybody should be able to access and use their own data at all times with any device they choose and in the most convenient and easiest way for them.

8. Server software transparency

Server software should be free and open-source software so that the source code of the software can be inspected to confirm that it works as specified.

It’s a brilliant idea and one that I hope will gain traction in the months and years to come.

Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.