Website security has always been a concern for web and systems administrators, and it has more recently become a serious concern for users who are increasingly asked to provide and store personal information on websites and in the cloud. Recent news that suggests the U.S. government harvests user data from the Internet has raised red flags for many concerned citizens and may impact your website’s security and the privacy of your users.
What is at Risk?
Before jumping to any conclusions, it is important to understand what is at risk. Will the U.S. government actually read your emails, peruse your private cloud data, and have unfettered access to anything you share online? According to the initial reports, PRISM, a surveillance program initiated by the National Security Agency (NSA) and FBI, taps into servers hosted by nine Internet-based companies, tracking everything from emails to connection logs.
Thus far, many of the companies accused, such as Google and Microsoft, have denied that they willingly participate in the PRISM program. Apple even went so far as to say it had “never heard of PRISM“. Nevertheless, many privacy groups have raised concerns, questioning what was shared with the government and how much private data is no longer private.
Most web servers automatically collect certain data about users. For example, every time someone accesses your site, Apache HTTP Server will record the user’s IP address, hostname, and possibly even general geographic location. Many web administrators also employ more sophisticated analytics software in order to learn more about their users and customers. Web administrators who want to protect user privacy should schedule this data to be routinely wiped from their servers, as there is no technical reason to keep the information for extended periods of time.
User data actually stored on your servers presents a more difficult problem. If the government directly ordered you to hand over user data, there may be little you can do, but for general system-wide access, you can at least encrypt sensitive information so that only users with their own special passwords can gain access. In other words, the data may be on your server, but only the user can decrypt it.
Most users, including those who are not guilty of committing any crimes, do not want strangers sifting through their personal information. By knowing your users’ rights and how you can protect their privacy, you can increase the amount of trust users have in your website and your business.