There is a lot of discussion at the moment about US government agencies, like the NSA, accessing user data from Google and Facebook, and because of this I was asked how that can be a problem as HTTPS is secure anyway? I would like to explain here what the difference is between HTTPS and privacy!
What is HTTPS?
As Wikipedia describes it, HTTPS is “a communications protocol for secure communication over a computer network”. As such, it secures the communication from your web-browser to the server of the website using encryption. This encryption can be seen as privacy for your data in transit, as it is intended to avoid any third-party on the internet being able to read the communication between you and the website. As the description states, this privacy applies only to transport of your information from your browser to the website. It does not protect your information on the website. How the information is handled and stored on the website’s server has nothing to do with HTTPS.
How do Facebook, Google and others store my data?
Now that we have securely transferred the information from our web-browser to the website, what happens with it? In nearly all cases, the data we submit is stored in some kind of database. Inside the database usually most of the data is stored “as it is”. That means unencrypted/unprotected as plain text. Of course, databases are the core of any modern interactive website and as such, organisations protect them heavily against unauthorised access.
What is the issue with the NSA?
The majority of stories about the NSA (National Security Agency) PRISM system “reading user data” don’t suggest that they are reading the data as it is transferred over the internet, but that the NSA is accessing the data directly from the companies. The recent leaks suggest that the NSA has agreements with the big companies to access their data. This means that the protections and precautions we use while transferring our data do not have any effect on the eventual privacy of our data.
In the last days and weeks a lot of articles on different news websites try to prove, and others try to deny, that US agencies have access to user data stored on websites like Facebook, Google and even Apple. Whatever the reality might be, the fact is that those companies collect a lot of information about their users.
It is bad when websites collect my data, isn’t it?
Collecting information is not always a bad thing. In fact, sometimes it is necessary to provide the functionality users are looking for. How could you post a nice holiday photo to all your friends if Facebook didn’t store the photo on their website/database? How would you find old school friends if these websites didn’t ask their users about their education details?
As a grown-up and responsible internet user it is always your responsibility to decide what information you want to publish on the internet and it is always a question of trust to rely on the website’s privacy settings.
Keep in mind that everything you post is part of your public image. Make sure that this image is what you want to represent. Irrelevant of the privacy settings at your social network, everything you post is the image you present to the world. As long as you only share what you are willing to let the world to know, that is as much as you can do to protect your online privacy.
The discussions
Here are just a few of the discussions related to the NSA and privacy on some websites.
- Google insists NSA doesn’t have ‘unfettered access’ to user data, wants more FISA disclosures
- Google denies giving NSA “direct access” to user data
- NSA snooping: Facebook reveals details of data requests
- Internet Companies Deny They’re Helping the NSA Collect User Data. Should We Believe Them?
- NSA Prism program taps in to user data of Apple, Google and others