Data Privacy Day: The Gold Standard for Protecting Survivor Privacy

/
data privacy

When thinking about domestic violence victims, data privacy isn’t the first thing that comes to mind for most people. But here at Safety Net, it’s always a top priority for us, and we spend a lot of time helping local domestic violence programs and other victim service providers understand the impact that their use of technology can have on the privacy of the survivors they work with.

Understanding what real data privacy looks like can be complicated. As we move ever more rapidly into a technology-driven world, local domestic violence programs are under increasing pressure to join in and adopt new technologies. There are many benefits to this – it means that survivors have new ways to find help that are often easier (and in some ways safer) than making a phone call or showing up at the front door, and it means the administrative work programs have to do can become more streamlined, giving them more time to spend helping those they are there to assist. But as with everything related to domestic violence, there are major risks involved in the use of technology that must be considered and minimized before moving forward.

Let’s start with why data privacy is so important. When survivors seek help, they take huge personal risks. If their abusive partner finds out they’ve asked for help, the abuse often escalates. They also face the possibility of harmful social and economic repercussions, like housing discrimination, job loss, and exclusion from their family or community. The information victims share with the domestic violence programs is often incredibly sensitive, and if others gain access to it, it can be used to cause further harm to them. This is why the Violence Against Women Act (VAWA) requires such stringent confidentiality practices – well beyond what the more widely known HIPAA practices require. (Learn more about this in our HIPAA/VAWA/VOCA FVPSA Privacy Comparison resource.)

Domestic violence programs often ask us to help them learn and understand best practices related to data privacy and online services. A practice we are constantly encouraging programs to look at is the use of zero-knowledge encryption services. When we suggest that as the best option for confidentiality, many want to know “But what does that even mean?!” Well, zero-knowledge encryption is the best way to ensure that the information being sent between the survivor and the program, or the information that is being stored in the cloud by the program, is protected against all third-party access (a third-party is anyone who is not the victim or the program that is helping them out).

When a domestic violence program uses cloud-based services, they are essentially storing the information they are collecting at an outside location. And it is standard practice for most cloud-based companies to have access to the data that is being stored. This means that if they choose, they can go in and read all of the information the domestic violence program has stored about the victims they are working with. But when a software company uses zero-knowledge encryption, even THEY can’t see the data.

Here’s a helpful analogy for understanding how zero-knowledge encryption works: Imagine a physical storage company where you can rent a vault to store your organization's paper files. When you go there to rent a vault, they let you know that you will be the only one who has a key to your vault, and that there is no way to get into the vault without that key. The vault can't be broken into. And the storage company does not have an extra copy of the key. No one but you, or someone you give the key to, can get into the vault. This is what zero-knowledge encryption does for survivors' data. It ensures that only the domestic violence program has the key to unlock and access the data they have entered about survivors. This is why we consider this the gold standard of data protection, and the one that most clearly aligns with VAWA confidentiality obligations. Software companies are third parties. And they get approached by other third parties - like law enforcement and abusers' attorneys - to share the data stored on their servers. If the software company can't see the data, and they can't hand it over to others who might use it to harm the survivor, the privacy and safety of the survivor is much more secure. 

If you have questions about this, feel free to reach out to us. To learn more about privacy and confidentiality, check out our Technology & Confidentiality Toolkit.

 

FTC Revenge Porn

/

January 2017

FTC’s Complaint Against Myex.com is a Win Against Nonconsensual Disclosures of Intimate Images

NNEDV applauds the Federal Trade Commission (FTC) and the state of Nevada for filing a complaint against a notorious website Myex.com to help protect survivors of nonconsensual disclosures of intimate images, what is commonly referred to as “Revenge Porn.”[1] Myex.com, like many similar websites, is dedicated to the deeply damaging practice of soliciting intimate images and providing a space and impunity for individuals to post intimate images without consent. Many of these sites fully recognize the impact of the distribution of these images and therefore have monetized the suffering of those depicted in the images by charging hundreds or thousands of dollars to remove the images from their website. Websites that employ these tactics enhance the ability of abusive individuals to terrorize their victims by soliciting and widely disseminating nonconsensual images and then blackmailing individuals that are desperately seeking to get the images removed from the website. While there are still many more sites that engage in these deplorable practices, the FTC and Nevada have taken a step to combat an egregious example and in so doing have also provided notice to others about the consequences of running these enterprises. In the current case, one executive of the company that runs myex.com has already agreed to a fine and to comply with a ban on posting intimate images. The website itself is still online, but the complaint is still pending and could result in large fines for the company and other members of the executive team. We often hear about the many ways in which individuals are terrorized on the web, but NNEDV is encouraged by the steps taken by the FTC and Nevada and hope that other states will follow their lead in working to combat the nonconsensual disclosure of intimate images.


For more information about responding to nonconsensual disclosure of intimate images, check out our survivor toolkit and/or advocate toolkit.

 

[1] NNEDV and many advocates are against the term “revenge porn” because we believe it inaccurately describes the practice of nonconsensual disclosure of intimate images. While some individuals make nonconsensual disclosures for revenge, many perpetrators have a mix of motivations that may or may not include revenge. Furthermore, by calling these images “porn” it inappropriately suggests that those depicted are a part of a pornography industry, when in fact the disclosure of these images is a crime in most states. Nonconsensual disclosure of intimate images more accurately describes the panoply of motivations and provides a better description of these images.

Addressing Technology Misuse in the Context of Sexual Assault

/

Two new resources from Safety Net discuss Technology Misuse in Sexual Assault, and offer advocates and others working with survivors a tool for Assessing Technology Misuse and Privacy Concerns.

As technology becomes woven into every aspect of society, offenders misuse the technology in sexual assault. Just as the dynamics of sexual assault differ from domestic violence, the misuse of technology looks different when sexual assault occurs outside of an intimate partner relationship.

  • A youth group leader might misuse online communities to groom victims.
  • A supervisor might threaten to change an employee’s file in a company database.
  • A caretaker might limit access to help-seeking through technology.
  • A medical provider might threaten to share embarrassing information or images gathered in the course of treatment.
  • Surveillance cameras and security could be misused by a landlord to gain footage of or access to a victim.
  • A law enforcement officer could misuse a database to target potential victims.

More understood examples include the explosion in the production and sharing of child pornography, or nonconsensual sharing of intimate images or footage of sexual assault of adults over the Internet.

Privacy Concerns

In addition, sexual assault cases in the public eye can generate distressing comments on news stories and social media, and some survivors may become the target of online harassment, doxing or other retaliation.

Technology and Root Causes

Online spaces amplify existing attitudes and beliefs, and so can support rape culture through memes, viral posts, revenge porn sites, etc. At the same time, online advocacy and activism efforts have used online spaces to counter rape culture through awareness, events, bystander intervention and more.