Perhaps this blog turns out a bit of a rant, but since I am a strong advocate on the right of privacy and security of your (personal) data I think the subject of this blog is both relevant and has been neglected too bloody long!
I guess each and everyone of those who read this has been in contact with doctors, advocates, notaries, accountants, (semi-)governmental organisations, and others who (need to) ask us to share (very) sensitive (personal or financial) information. Each and every time they do I ask them the following questions:
- If I am not convinced they need specific information, I ask them why they need it, and if they do not have a clear answer (“We have to ask you for this”, “It is what we always do”, “It is in the script”,…), I just tell them to provide me with a valid argument, either now or when they contact me again. Many times they just fold and I can just send them the information they really need.
- But more importantly I ask them what secure system I can use to provide them with the information they need. Remember, these are professionals that ask you to share (highly) sensitive personal, health, financial, and juristical information!
Unfortunately more often than not I get the reply that I can just email it to them…
And these are not all small offices with no IT capacity. Many of these are well respected and larger institutions, with numerous employees and offices. As a critical person you would expect them to act in a professional way, and be vigilant to protect the data of their clients in the same way, or preferably even better than their own data. But most of the time they just stare at me with a blank face, as if I asked them something inappropriate.
And in a certain way I get it. They deal with people who give their personal data away on a daily basis to mega-corporations like FaceBook and Google. People who are (probable) not aware that they enable those corporations to build complete profiles of individuals. So when you ask these to send some stuff by email they just comply. So why spend more resources than necessary? Well, for one since you (should) have a professional obligation and responsibility to protect the data of your customers, even if they normally act like sheep.
So I decided to do something about it. Just for me personally, and probably some close to me, since I (currently) do not have the resources to do more. And you can do it too if you really care about protecting your data (until it is in the hands – or on the systems – of the organisations who are since 2018 bound by the GDPR to protect it).
The solution was relativly simple. I just implemented a personal cloud environment, called NextCloud on a colocated FreeBSD server, but you could also implement this on some IAAS or VPS service providers. This personal cloud provides me with a very flexible environment to manage many things like (personal) calendars, pictures, mail, and most importantly for me files; as a matter of fact I currently only use the file storage and sharing possibilities of NextCloud.
The scenario is as follows. Once a “professional” asks me to share some data, or they want to share some sensitive data with me, I follow the next steps:
- If necessary I create a new folder specifically for them.
- Then I create a (public) share link for that folder.
- If it is information they need, I upload the documents they need to this folder.
- Next I modify the link to read only/read write/write only (dropbox), and assign a (strong) password and expiration date.
- And finally I share the URL and password to access the folder using two different communication channels (id est email and phone, or email and IM).
- Once the other party has copied the information, or shared the data with me the link will either expire automatically, or I will remove it. Problem solved.
Since the NextCloud is implemented on a system using encrypted storage, and communication is only possible using the HTTPS protocol using strong encryption, and only a limited amount of trusted users have access to the system using Multi Factor Authentication (2FA), I am convinced that this information is now secured according to all modern regulations and guidelines.
Does this mean there are no risks? To be honest, No! There will always be risks, and vulnerabilities. That is called life. But I am certain that I did everything to protect my data. Now this whole process took me some time to figure out and implement, but the investment was relatively limited. Cheap enough for the “professionals” I mentioned in the beginning of this blog, considering the hourly rates they tend to charge you for their time and porfessional knowledge. I really think it is time they should act accordingly.
I am aware that this is not a real solution, since the professionals get away with it, but sometimes it is just healty to rant and, at the same time, provide valuable guidance to professionals who should know better, and really care for their customers! I can only hope they will eventually act on it as well.