Having technological tools to protect your privacy is recommended, but equally important is understanding that privacy is a process, not a product.
March 31, 2025
By: Bobby Casey, Managing Director GWP
I love the pithy accuracy of this statement I read recently: “Privacy is a process, not a product”.
I think the same could be said about safety in general. When people think that safety or privacy is a product they take it for granted.
We see it a lot in American football versus Rugby. The latter doesn’t have nearly as much protective gear, but they don’t see as many concussions either. This is because less risk is taken with less gear, and they rely on their aversion to harm, concussion, or death to determine whether the risk is worth the potential reward. A similar observation was made in boxing between those who wore protective helmets and those who didn’t. The former saw more concussions than the latter.
Likewise, guns make you safer if you know how to use one properly, are mindful of your surroundings, maintain a clean weapon, and practice for accurate aim. The mere presence of a gun won’t do much for you in a burglary.
When it comes to safety or privacy, the tools are only as good as your process.
Signalgate
The text exchange amongst a group of national security individuals that wound up looping in Jeffrey Goldberg of The Atlantic was such a bush league fiasco. It was totally avoidable. There was already mechanisms and infrastructure in place for secure communications for that group of people, and yet under the advice of the CSIA (Cybersecurity and Infrastructure Security Agency), they used Signal.
Signal is encrypted, that’s true. But end-to-end encryption isn’t enough for these types of exchanges. It might be okay for me making plans with my friends, but there are far more protocols involved with matters of national security, such as who is qualified or cleared to join the chat.
Using the government’s infrastructure would’ve allowed for the Department of Defense’s server to screen who all could receive messages since qualified and cleared parties’ devices are known to it. That is, Goldberg would never have been able to join that chat, not even accidentally. As Karl Denninger from Market-Ticker put it:
…[I]t can be set up to … refuse to deliver a message if it is to someone who doesn’t have a DOD-issued certificate and, for example, the other people in the communication do; it could either embargo it (after all, there might be circumstances where this is legitimate) or alert someone that something hinky may be going on, throw it in the trash summarily, or some combination…
In other words if you set things up properly, and run them properly, what happened can’t happen and if it is attempted, either by accident or malice, not only does it not work the person who did it gets busted if the transmission was not legitimate.
It’s not the product of Signal or even the product of encryption alone. Clearly, using any ole encrypted service isn’t sufficient.
It’s the process of setting up a protocol and process to where “accidents” like this cannot happen. It’s like building an elaborate flowchart and locking the cells with formulas to prevent people from hard-coding over them intentionally or otherwise.
Privacy is a process, not a product.
23andMe Bankruptcy
This headline sent chills down my spine:
Bankrupt 23andMe Cleared By Judge To Sell Americans’ DNA Data To Highest Bidder
And it’s exactly as it reads, sadly. The article continues to itemize the timeline:
- Monday [3/24/25]: 23andMe Files For Bankruptcy, CEO Resigns – Fate Of Americans’ DNA Data Now In Court-Supervised Sale
- Tuesday [3/26/25]: US Official Alleges 23andMe Sold Americans’ DNA Data To Pharma Companies Owned By Foreign Adversaries
- Wednesday [3/27/25]: 23andMe Customers Panic To Delete Genetic Data
- …Thursday [3/28/25]: Bloomberg reports the worst fear for 15 million 23andMe customers: US Bankruptcy Judge Brian C. Walsh has granted the defunct genetic testing startup permission to sell its massive genetic database, potentially ending up in the hands of private equity firms that will find new ways to monetize the sensitive data.
A lawyer with the US Trustee’s Office — a public bankruptcy watchdog service — requested an ombudsman be appointed to oversee the sale of all the customers’ genetic data… which doesn’t sound objectionable, much less unreasonable. And yet, the judge abstained from opinion on that and the 23andMe attorney straight up said an ombudsman is not necessary because the extensive privacy policies. Under the US Bankruptcy Code, companies cannot sell personally identifiable information about a consumer unless the sale conforms to the firm’s privacy policies or until after an ombudsman is appointed.
Don’t get it twisted. Personally identifiable information has to meet a specific criteria. So that means, they can positively match data with an actual individual. But there are myriad other forms of data that aren’t inherently personally identifiable or doesn’t qualify as PII.
The other safeguard their attorney points out is “conforming to the firm’s privacy policies”. Since this case is being protracted to establish a sale in mid-June, could policies change? Yes. Ownership remains unchanged until mid-June.
There are privacy policies, there are safeguards, there are third parties… and all of those must work in concert to protect the data of these 23andMe customers. A privacy policy alone is insufficient. Again, privacy is a process, not a product, so having layers to the protocol might be redundant in some cases, but worthwhile in protecting the integrity of the data.
CBDC
The future is digital; of this there is little doubt. With expediency and convenience, comes all the vulnerabilities of a digital activation. That is the trade off. Naturally, there must be mechanisms put into place to check that. One such solution was block-chain technology like those used in cryptocurrencies.
As we’ve seen, a lot of encryption technology does exist. Very good encryption technology, I might add. The problem is governments don’t much like that, and often insist upon a “backdoor” to the data. So either you build the backdoor, which makes the whole system vulnerable, or you do away with the encryption altogether. Such was the case for Apple in the UK, if you recall.
Again, encryption is a great tool, but the protocols in determining who has access presents a problem much like the example of Signalgate, and how that would be coded in. That’s the process right? A tool that safeguards against intruders and unknown or uncleared parties, but a protocol that defines that and prevents malicious and accidental sharing.
As the Mises Institute rightly observes:
CBDCs present an existential threat to privacy. The Federal Reserve claims that a future CBDC would aim to balance transparency with consumer privacy. However, as Murray Rothbard argued in The Ethics of Liberty, there is no “balance” to be struck when it comes to privacy. The right to property implies the right to control how that property is used without interference. A CBDC undermines this fundamental right by allowing the state to monitor every transaction, effectively eliminating financial privacy.
It is critical to pay attention to the language around privacy. When lawyers point to PII, it’s fair to question what information does NOT fall under that umbrella that could get into the wrong hands? When bureaucrats and politicians talk about “striking a balance” with privacy, what compromises does that balance entail?
Encryption, privacy policies and laws, VPNs, and other technologies used in service of the demand for privacy are of course integral. But how those things are put to use, and the processes built into their integration is how privacy is actually achieved, or at least maximized. Privacy is a process, not a product, and we should not take for granted that having any given product means our information is safe.
Click here to get a copy of our offshore banking report, or here to become a member of our Insider program, where you are eligible for free consultations, deep discounts on corporate and trust services, plus a host of information about internationalizing your business, wealth and life.
