Recent revelations about National Security Agency (NSA) snooping have only served to draw our attention to how that space we used to call private is diminishing. It’s not even that we have less privacy than we used to, although that’s true as well. More to the point: we now know how little we ever had.
It’s no longer much of a surprise to learn that the Drug Enforcement Agency (DEA) has been helping itself to all our private little treasures for the past six years. One can assume that all three-letter agencies as well as many state and local authorities have shared tidbits of information about us with each other.
The paradox of access to technology and privacy, I’ve written about it before. People who live in glass houses should expect others to peer in.
But given what we are now living with, is there any advice we can live by? Any way to conduct ourselves that steers adroitly between the shoals of Scylla and the vortex of Charybdis?
Even Public Key Infrastructure (PKI), the theoretically best way to guarantee the sanctity of communications between any given individual and everyone else, is subject to leakage, and in fairly prosaic ways. One must trust the key authority, which may not be on the up-and-up. Keys can get “lost” (and found by the wrong people).
Encrypted private networks might protect your information, but someone is standing behind the privacy wall with you.
So, what’s to be done? Individuals can live exemplary lives, but corporations have a lot to lose in the best of circumstances.
Companies as diverse as Absolute Software, the maker of LoJack anti-theft and other security technology, and DocuSign, the eSignature people, are attempting to cover more of the multiparty workflow that organizations are now taking online. In industry after industry, online transactions are proving to be more efficient, faster, and lower cost, often leading to greater customer satisfaction. But these same transactions are increasingly exposed to depredation by a growing array of entities, some more friendly than others.
It’s one thing for
Large entities like
DocuSign, a company that I know a fair amount about through an ongoing consulting relationship, is a study in how vendors are dealing with security and privacy issues.
This summer, DocuSign dialed its security game up a notch. The company — which started with a base technology for capturing people’s signatures electronically for legally binding transactions — has continued to build out its trust network to make it a safer place to conduct such transactions. The firm has gone to great lengths to instill confidence in this network, given the amount of real money — millions of dollars a day — flowing through it. For example, DocuSign has integrated PayPal, the payments system owned by eBay, into an eSignature-guaranteed payment system. Charles, Schwab, the online brokerage firm uses DocuSign, one way to make sure that securities trades it executes on behalf of customers don’t blow up later under legal scrutiny. Companies like Coldwell Banker and Sotheby’s conduct binding real estate transactions through the DocuSign Trusted Network.
Real estate is one of DocuSign’s specialties. Earlier this year, it acquired Cartavi, a platform that encapsulates the entire real estate transaction, including all workflows and all parties (e.g., buyer, seller, brokers, local government, banks, inspectors, notaries, and attorneys), in a secure eSignature environment.
Bank of America, which uses DocuSign (as well as a small group of other eSignature providers), has a stringent set of criteria for doing real estate transactions electronically. These criteria include compliance with the company’s authentication, disclosure, audit, and integrity requirements for e-signed transactions.
DocuSign warns customers using its real estate system that any signing process they use must be compliant with the Electronic Signatures in Global and National Commerce (ESIGN) and Uniform Electronic Transactions (UETA) Acts, and include documented consumer consent, signer authentication options, digitally sealed documents, a secure audit trail, 99.9% uptime, service status on demand, a solid privacy policy, and clear licensing terms. Otherwise, it warns, “If any of these attributes are missing, the service may not be creating reliable electronic records, putting you and your customers at risk, and your documents will likely be rejected by banks with electronic signature acceptance criteria such as the Bank of America.”
And not all networks are created equally trustworthy. Recently, dotloop, an all-electronic real estate transaction service, had an outage that lasted more than a day. The outage, which was covered here, interrupted customers' access to their files for many hours. Hard to comply with integrity and audit requirements with that kind of downtime.
You can only do so much to protect yourself online, but if you’re going to conduct actual business over the Internet, using a belt and suspenders for security and privacy isn't too much.
Twitter: RogerKay
