Does Santa Claus have a security and privacy issue?
Every year in late Nov, early Dec, children around the globe are writing letters to Santa and asking for their favorite toys, games, bikes, etc., to be delivered under the Christmas tree on Christmas morning. This is probably the children’s favorite holiday and the parents most tiring morning. With months of planning and the blink of an eye, joy and happiness is delivered throughout the world. But have you ever thought about how Santa is securing and storing all of the data that is being shared with him?
Let us first review where Santa lives. The North Pole is a very interesting place. There is a lot of controversy around which country lays claim, “owns” the North Pole. There are 5 countries that border the North pole, United States, Canada, Denmark (through their relationship with Greenland), Norway and Russia. They have border rights up to 200 nautical miles offshore, which when you draw that line, it puts Santa’s home in an un-owned territory of the Arctic Circle. Additionally, the North Pole actually sits on frozen water, not land, and is considered to be in international waters. In order to lay claim to the use of those waters (oil and gas, fisheries, or Santa’s enterprise), countries would have to ratify the Convention of the Law of the Sea. Since the United States blocked the ratification, they cannot lay claim to Santa’s enterprise.
Since the North Pole is sitting in international waters and therefore governed by international laws, then Santa would have to consider GDPR and PII data regulations. Before Santa could even begin to build toys, he would need a team of regulatory expert elves collecting and separating the letters from all over the world to keep the data secure and conforming to the security controls required by those regulatory bodies. As Santa communicates back to the children, he would have to be aware of individual country laws governing how and what can be communicated.
Before he starts the process of building the toys, he would have to construct a significant supply chain aligning the children’s request to the toys. Multiple systems would also have to in place because different countries require personal data to be separated. Therefore, an incredible amount of data is being created at Santa’s house. Since we determined Santa’s house is sitting in international waters, what are the global privacy laws that apply to his organization?
Is Santa also a surveillance expert? It appears he might have a highly trained network of informants or access to cameras which allow him to determine which children have been “naughty or nice”. In fact, it also appears that Santa knows, throughout the year, the status of children’s behavior, hence, who he can mark off the list for that year. Throughout the world, there are very strict surveillance laws, and every country seems to handle it differently. With those types of data feeds and amount of data, where is he securely storing it? Azure, AWS, or does he have his own data center?
With over 500M children to build toys for, that would amount to a size able elf employee base. Each one of those elves would have access to the child’s name, their individual wishes and the family’s personal information(addresses, names, interests, etc.). Santa would be required to have robust security and compliance policies in place to determine how and who can interact with the data, and where it can reside. Can you imagine what would happen to Santa if the information from one country was stolen by an elf and sold to another country? Or if an elf sold it to a major retailer thus ending Santa’s organization.
Despite these questions and possible concerns, parents are still helping their children communicate with Santa via mail, email and phone calls. It’s a global holiday and a global tradition enjoyed throughout many generations.
I enjoyed it as a child. The process of writing the letter, putting it in the mail and getting a response back from Santa (even though it was my mom and dad – but did I know?). I have, and I am sure we all have as parents, relish watching our children through their innocence, enjoy the same traditions we loved. In this case, I do not care about the data and privacy questions because it is one of the remaining family traditions that hopefully will last a millennium.
Merry Christmas and hope you all have a Happy New Year!
President | COO