How does ESRI deal with confidentiality?

991
6
09-10-2018 12:53 PM
ScottSweet2
New Contributor III

An online connection is required to work in ArcGIS Pro so I'd like to know who is monitoring our online session.  I am contemplating a full license for ArcGIS Pro for my business but I have many clients who are very nervous about having any of their mapping information online because their maritime boundaries are often sensitive and a matter of national sovereignty. Some of those clients are embroiled in ICJ court cases with other countries and are worried about spying or hacking.  They don't even allow me to take any data on my computer out of the country.  How can we be reassured ESRI is not collecting any of our data? Do they have any legal statements about this that I can find in the documentation? Confidentiality NationalSecurity ##ICJ

0 Kudos
6 Replies
JonathanFarmer_oldaccount
Occasional Contributor III

Hi Scott,

First, I'm not a security expert here. But I did want to point you in the direction of our ArcGIS Trust Center in case you hadn't seen that site already. Specifically, there is a page on privacy:

Privacy—ArcGIS Trust Center | ArcGIS 

But hopefully someone on our security team can chime in here and speak in more specifics on what we do and don't collect when using ArcGIS Pro.

Jonathan

Robert_LeClair
Esri Notable Contributor

A few things to consider with regard to privacy and ArcGIS Pro:

Licensing - you can configure AGP to be single use, concurrent use or named user (AGOL or Portal).  If you configure AGP for single use/concurrent use, nothing is being collected.  If you use ArcGIS Enterprise and set up your Portal for ArcGIS, all licensing and data is stored on your own hardware, behind your own firewall.

Portal - many customers concerned about data storage and who can see what configure and install ArcGIS Enterprise to secure everything.

George_Thompson
Esri Frequent Contributor

I would also recommend that you reach out to your account manager for more information also.

--- George T.
0 Kudos
KoryKramer
Esri Community Moderator

Great responses from all above, but I thought we could also add a bit more info.

1. As Robert LeClair‌ pointed out, with a purchased license of ArcGIS Desktop, you will be able to convert the ArcGIS Pro Named User license to Single Use or Concurrent Use.  You do not have that same flexibility with the Personal Use license.  Also, I think it is super important to be clear on this statement:

"An online connection is required to work in ArcGIS Pro"

That is not true. An online connection is not required to work in ArcGIS Pro.

2. As for any information that is collected, you should read The Esri User Experience Improvement program section of  Report software errors—ArcGIS Pro | ArcGIS Desktop which also points to FAQ: How does the Esri User Experience Improvement program work for ArcGIS Desktop? 

Due to your concern, I'd recommend turning that off, even though the data that the EUEI collects is unrelated to your concerns:

Hope this helps!

ThomasColson
MVP Frequent Contributor

The laws of the State of California, in which ESRI is headquartered, allow for a court to compel ESRI to provide any data it holds as a discovery request response, or FOIA request. Is this likely to happen? Very likely not.......  As such, if an organization has data that cannot be subject to uncontrolled release under those or similar situations, you should not store it in AGOL. Ultimately, your org should have a legal review of your SLA/EULA with ESRI, and develop a policy regarding sensitive data, as neither Geonet or other users will provide an answer that will survive a court challenge. 

ThomasColson
MVP Frequent Contributor

Actually here is your don't-need-a-lawyer answer: As you mention maritime boundaries, which is very clearly a national security issue, it wouldn't even take a court order for ESRI to release it: 

Products & Services Privacy Statement Supplement | Esri 

Esri will not disclose Customer Data, Administrator Data, Payment Data or Support Data outside of Esri or its controlled subsidiaries and affiliates except (1) as you direct, (2) with permission from an end user, (3) as described in this Products & Services Privacy Statement Supplement or in your agreement(s) with Esri, or (4) in response to lawful requests by public authorities, including to meet national security or law enforcement requirements. We may share Administrator Data with third parties for purposes of fraud prevention.

In your case, I'd stand up an internal Portal for ArcGIS, which gives you the same functionality as AGOL, but you have 100% over the security and release of any data stored within. By internal, I mean on-prem: A portal you host in Amazon could be subject to the same host-state laws.