Let’s assume that the top secret documents leaked about the NSA’s data mining activity are genuine. The leaders of the social networks and technology companies named as being part of the programme have all denied that the intelligence agency has a secret feed from their servers. Chief executives of any brand which relies on the internet - which is pretty much all of them - will need to consider their own response.
That won’t be easy, given the smoke and mirrors which have to surround the activities of such an organisation. But that is not an excuse for ignoring the issue and hoping it will go away.
For Google, Microsoft, Apple, Facebook et al, the revelations are said to have come as a surprise. That could be true, or it could be that they are required to feign ignorance. As it is, they are not even allowed to reveal when a request to hand over data under FISA rules arrives via the front door. So any back door data syphon would be even more cloaked in deniability and limited numbers of people who really know what is going on.
As a brand apparently sitting outside of this set-up, there might seem to be no reason to respond to concerns about Prism at all. So here are three reasons why you need to do something, rather than nothing.
1 - To the consumer, Prism means all data is being secretly collected.
Forget nuance. Forget official denials. A story like this translates into one simple message for the consumer - “they’ve got my data”. Blowback from this is highly likely to occur, some of which may be visible, but could just be in the form of a subtle change in behaviour.
A customer transacting with you online will probably not think twice before registering to make a purchase. That does not mean your privacy notice should not be strongly emphasised at this point, just to provide reassurance (if possible). If it helps to ensure an extra 1 per cent complete that purchase, it is worthwhile.
In the browsing, research, consideration and comparison phases before that, anything you can say to help build trust is vital. Consumers will be feeling a little jittery right now if they believe their data is being collected and they may be tracked. Got a good message about how you protect them or respect their privacy? Now is the time to shout it out loud.
(This should be done in good faith, by the way, even if it is actually not possible to guarantee data is secure, as points 2 and 3 note below.)
2 - You can’t protect the customer journey online.
Most customer journeys begin with search and an increasing number involve a mobile phase. Given the scope of Prism, that data is available to the NSA whether you like it or not. You can aim to minimise the amount of time a prospect or customer spends outside of your own digital estate, however, by encouraging as much direct participation with your brand’s own website as soon in the journey as possible (but apps will still leave them exposed).
3 - Your data centres may be more accessible than you think.
Many companies no longer own the infrastructure on which they rely for data processing, customer data management and analytics. These capital-intensive resources might have been outsourced, in which case the question of access is already at one remove. The Prism leaks came via a worker for a business handling the NSA’s own data processing as an outsourcer and many of the major service providers have similar engagements with the US government. Once your data enters their realm, can you really know that it is sealed airtight?
If you are using cloud services, then you need to assume that the NSA can take your data whenever it wants. Most data centres supporting the cloud are US-based and the demands of FISA and the Patriot Act make it virtually impossible to resist a request for information. Since Prism is specifically focused on overseas targets, European customer data is a prime target.
It may even be that the supporting technology has other potential back doors. A report by UK MPs recently raised concerns that the Chinese technology manufacturer Huawei, widely used by telephone networks in this country, may offer a backdoor to Chinese government hackers, something the company strongly denies. The US will not allow its products to be used for critical infrastructure, by contrast.
National security trumps just about everything, often including fundamental human rights, in our paranoid and vulnerable world. That is regrettable, but it is also just the way things are right now. While the big players in this issue try to get to the bottom of whether they have been opened up by the intelligence services, your brand needs to do whatever it can to reassure customers and prospects that you do the right thing, whenever you can.
You can’t promise they will not be spied on. You can make it clear your only interest is in building a good brand relationship.