

Ask HN: how to deal with the NSA situation if a Startup handles user's data? - asenna

I am working on an MVP currently and I am trying to get it ready for launch ASAP. It is a web app along with an Android app. However, for the functioning of this service, the back-end will need to collect User&#x27;s data and have some access to the phone&#x27;s functionality (Who doesn&#x27;t? camera, photos for instagram; notes, audio for Evernote, etc).<p>My question is, given the current NSA situation being exposed, I am not sure how to deal with this. I somehow feel guilty about storing user data. Since this is an MVP and we are very small, we currently do not have resources to put in 5 different layers of security&#x2F;encryption or move the backend to EU or HK (and I don&#x27;t think this can stop the government, look at Lavabit). What options do we have? How are other startups&#x2F;businesses dealing with this?
======
petercooper
_What options do we have? How are other startups /businesses dealing with
this?_

Pragmatically speaking, carry on as normal and, if you really care, implement
some commonsense security measures. Monitoring has been going on for years and
its exposure recently is just the latest media storm in a teacup. Almost no
items on the HN front page in a year's time will be about this topic and we'll
be ignorantly living in the "new normal" as we always do.

Remember when "comedy would never be the same" after 9/11? How the economy
would collapse and we'd be fighting for food in the streets after the
financial crisis? How Iceland was headed down the pan? How avian or swine flu
would decimate humanity in the 2000s? How the Manning leaks would destroy
international diplomacy? The media's job is to blow everything into a crisis
to get people thinking their day to day lives are radically changing.. except,
they ain't and they so rarely do.

------
brudgers
Let dealing with it be a cost of business when there's a business. Right now,
addressing the issues is premature optimization. No customers. No problem.

------
angersock
We're about to launch a storage and collaboration service ourselves, and all
this shit couldn't have happened at a worse time.

I'll go ahead and ask another question:

If I've got a multitenant system, how can I best protect my clients if they're
on a box with somebody who pisses off the feds? I don't want to go all
Cryptonomicon here, but what can I do beyond a bunch of separate encryption
keys and directories and whatnot?

~~~
mchannon
Your problem is not encryption keys and directories, near as much as physical
removal of the appliance itself due to government seizure.

Your ability to protect your tenants is first and foremost their capability to
retrieve their own data, less so your ability to guard their data from
unwanted parties.

A lot of people with nothing to fear lost their data today.

~~~
angersock
(I was one of those people.)

Right, right--but what can be done in that case to work with authorities and
mitigate their fucking with things on the box outside of the person they're
investigating? We've already got a solution in place for users to hang on to
their own data, so they can still get to it.

We'd really, really like to do the right thing here (before, you know,
obstructing justice and thermiting the drives in place).

