Facebook's whistleblower and what it means for your data security & GDPR program

With the recent testimony in Congress on October 5 by former Facebook employee and now whistleblower, Frances Haugen, has drawn the curtain back on management’s priorities at the company, and it isn’t good. Basically, she claims profits are the top priority among Facebook’s leaders. As a result its sites are harming children and destabilizing democracy via the sharing of inaccurate and divisive content. She further claims that Facebook could have reduced or eliminated these impacts by resetting its algorithms to eliminate this content. Why didn’t Facebook do that?  It would negatively impact profits.

All of this attention on Facebook prompted me to take another look at last month’s report that Facebook-owned WhatsApp was fined a record 225 million Euros by Ireland’s data watchdog for breaching EU data privacy rules. Basically, WhatsApp failed to tell Europeans how their personal information is collected, used, and shared.

This fine is the largest penalty that the Irish regulator has handed out for violations of Europe’s General Data Protection Regulation (GDPR).

The EU is leading the world in its approach to protecting the privacy of its citizens and its businesses. And they are backing up their requirements with major fines for noncompliance. Facebook is not the only US company being fined.

In July, Luxembourg’s data regulator fined Amazon 746 million euros for breaching GDPR rules regarding the use of consumer data in advertising.

In 2019, Google was fined 50 million euros by France’s privacy regulator for GDPR ad violations.

So, how does this affect you? If you’re doing business in the EU, and you’re not familiar with GDPR’s requirements, you could be putting your customers and, ultimately your company, at risk. If you are entrusting other providers such as WhatsApp, Amazon, or Google to manage, access, or transfer your customers’ data you need to make sure they are meeting GDPR requirements.

This is where HighSide comes in.

In order to ensure GDPR compliance, end-to-end encryption is essential. Your company must implement reasonable data protection measures to protect the personal data of customers, consumers and employees against data loss or exposure. The backbone of this is end-to-end encryption. In true end-to-end encryption, only the users themselves have access to the encryption keys. High Side provides decentralized end-to-end encryption which means HighSide never has access to your keys or your data, and neither do your admins.

If you’re not sure whether your communications provider is providing this level of data protection, you need to ask them. For instance, some companies offer a type of encryption described as “at rest and in transit.” This would result in your cloud provider, for instance, having access to the encryption keys. Thus, in case of a breach re-identification of the persons from the leaked dataset is technically possible.

You also need to make sure what your provider is telling you is accurate. Europe is not the only region that is serious about data privacy.  In the US, Zoom was fined $85 million for lying about encryption and sending data to Facebook and Google.  According to the FTC, even though Zoom has claimed they provide end-to-end encryption, it turns out they don’t (with the exception of their Connector product that has hosting on a customer’s own servers) because Zoom servers maintain the cryptographic keys that would allow Zoom to access the content of a customer’s Zoom meetings.

You can be sure your data is protected when you are using HighSide. We’d be happy to share with you more details about the worldwide data privacy environment. We can ensure you are in compliance. There’s no gray area in what you get from us. Schedule a conversation with an expert today