Data Privacy Day: The Gold Standard for Protecting Survivor Privacy
/When thinking about domestic violence victims, data privacy isn’t the first thing that comes to mind for most people. But here at Safety Net, it’s always a top priority for us, and we spend a lot of time helping local domestic violence programs and other victim service providers understand the impact that their use of technology can have on the privacy of the survivors they work with.
Understanding what real data privacy looks like can be complicated. As we move ever more rapidly into a technology-driven world, local domestic violence programs are under increasing pressure to join in and adopt new technologies. There are many benefits to this – it means that survivors have new ways to find help that are often easier (and in some ways safer) than making a phone call or showing up at the front door, and it means the administrative work programs have to do can become more streamlined, giving them more time to spend helping those they are there to assist. But as with everything related to domestic violence, there are major risks involved in the use of technology that must be considered and minimized before moving forward.
Let’s start with why data privacy is so important. When survivors seek help, they take huge personal risks. If their abusive partner finds out they’ve asked for help, the abuse often escalates. They also face the possibility of harmful social and economic repercussions, like housing discrimination, job loss, and exclusion from their family or community. The information victims share with the domestic violence programs is often incredibly sensitive, and if others gain access to it, it can be used to cause further harm to them. This is why the Violence Against Women Act (VAWA) requires such stringent confidentiality practices – well beyond what the more widely known HIPAA practices require. (Learn more about this in our HIPAA/VAWA/VOCA FVPSA Privacy Comparison resource.)
Domestic violence programs often ask us to help them learn and understand best practices related to data privacy and online services. A practice we are constantly encouraging programs to look at is the use of zero-knowledge encryption services. When we suggest that as the best option for confidentiality, many want to know “But what does that even mean?!” Well, zero-knowledge encryption is the best way to ensure that the information being sent between the survivor and the program, or the information that is being stored in the cloud by the program, is protected against all third-party access (a third-party is anyone who is not the victim or the program that is helping them out).
When a domestic violence program uses cloud-based services, they are essentially storing the information they are collecting at an outside location. And it is standard practice for most cloud-based companies to have access to the data that is being stored. This means that if they choose, they can go in and read all of the information the domestic violence program has stored about the victims they are working with. But when a software company uses zero-knowledge encryption, even THEY can’t see the data.
Here’s a helpful analogy for understanding how zero-knowledge encryption works: Imagine a physical storage company where you can rent a vault to store your organization's paper files. When you go there to rent a vault, they let you know that you will be the only one who has a key to your vault, and that there is no way to get into the vault without that key. The vault can't be broken into. And the storage company does not have an extra copy of the key. No one but you, or someone you give the key to, can get into the vault. This is what zero-knowledge encryption does for survivors' data. It ensures that only the domestic violence program has the key to unlock and access the data they have entered about survivors. This is why we consider this the gold standard of data protection, and the one that most clearly aligns with VAWA confidentiality obligations. Software companies are third parties. And they get approached by other third parties - like law enforcement and abusers' attorneys - to share the data stored on their servers. If the software company can't see the data, and they can't hand it over to others who might use it to harm the survivor, the privacy and safety of the survivor is much more secure.
If you have questions about this, feel free to reach out to us. To learn more about privacy and confidentiality, check out our Technology & Confidentiality Toolkit.