Our understanding of government surveillance changed in June 2013 when The Guardian published the first revelations of the NSA’s PRISM and GCHQ’s Tempora snooping programmes. My post that same month Help! NSA has my data – sought to introduce calm against a background of extensive blanket surveillance which has generally been greeted with alarm. 7 months is a long time in the world of cloud, so what do we know now?
Data privacy has continued to be a hot topic with some questioning whether we should have a European-only cloud or whether we should abandon cloud altogether. The extent of the snooping has taken many by surprise. The Guardian and others have disclosed the surveillance in detail and while it’s not necessary to repeat them, here are some high (low?) lights:
- the US and UK snooped on foreign leaders at the 2009 G20 summit
- there have been accusations that Skype voluntarily joined the PRISM programme and RSA introduced back doors to their products to facilitate surveillance. These accusations are denied
- NSA collected address books from Yahoo, Hotmail, Facebook and Gmail seemingly without their knowledge or cooperation
- NSA cracked mobile phone encryption and was alleged to be listening to the phone calls of Angela Merkel, the German Chancellor with the Israeli prime minister and the EU Competition Commissioner also targeted
The reaction in many quarters has been furious. Again, some highlights for me:
- the Russian government bought electric typewriters and this was reportedly as a result of them discovering that they were being spied on
- the European parliament’s civil liberties committee says the activities of NSA and GCHQ appear to be illegal and have asked Snowden to submit to questioning
- the American Civil Liberties Union is pursuing a lawsuit against the NSA alleging that its spying activities are unconstitutional and Kentucky senator Rand Paul is also about to bring a claim and is urging Americans to join the lawsuit
- two Californian state senators introduced a bill in an attempt to cut off NSA’s water supply, essential for computer-cooling
- the European justice and rights commissioner Viviane Reding threatened to freeze the EU/US Safe Harbor scheme
- President Obama announced some reforms to the NSA
Here are my answers to questions which I’ve been asked since June last year:
1. Will the EU Data Protection Regulation stop NSA and GCHQ snooping on me?
No. The draft regulation is an attempt to harmonise the different approach to data protection laws across the EU. It has been heavily criticised and has undergone a plethora of amendments and there still remains much disagreement that must be resolved before the regulation can be implemented. Regardless, article 2 of the current draft contains an exemption for national security and it is highly likely that some form of exemption will be retained in the final draft.
Data privacy has continued to be a hot topic with some questioning whether we should have a European-only cloud or whether we should abandon cloud altogether.
2. Should we abandon the Safe Harbor scheme?
No. The EU/US Safe Harbor scheme was an attempt to protect EU citizen’s data in the face of a lack of a US federal law providing similar protections. Don’t forget that most US companies have denied actively participating in the PRISM programme so scrapping Safe Harbor and preventing the flow of EU personal data to the US would punish those companies for the actions of the NSA. There’s no doubt that hitting the profits of US companies would get the attention of the US government but at the same time it could severely impair the growth of cloud in the EU as so much of it is based in the US.
3. Should I abandon cloud?
No. The first road fatalities in the US and UK were in the 1890s but this didn’t lead to the banning of the car. 1.24m people worldwide died of road traffic injuries in 2010 alone and yet we still continue to use cars. As with any new development there will always be negatives. The key is to establish proper guidelines and restrictions for surveillance by security agencies rather than abandon cloud completely.
4. Should security agency powers be curtailed?
Maybe. The debate continues. In his recent announcement of proposed reforms to the NSA, President Obama said that NSA had been acting within its powers but he recognised that Snowden’s revelations had caused anxiety. The reforms are not as extensive as many were asking for and need further clarification. For example, the NSA will continue to have access to phone data but won’t hold this itself; a third party yet to be identified will hold it instead and NSA will access it when needed. Also, foreign citizens – including other world leaders – will enjoy the same protections as US citizens but will still be the subject of surveillance if necessary to uphold national security. In short, the NSA will continue to undertake surveillance but with some adjustments. This is clearly an ongoing discussion but the NSA, GCHQ and other security agencies will all continue to undertake surveillance to some extent. In the meantime, this should not distract the average cloud provider and customer from getting on with their business.
5. Should the EU adopt its own cloud?
Yes, if you mean a European cloud to promote a thriving European-based cloud to help businesses to compete with the US-based cloud and let’s hope that’s what the European Cloud Partnership and Cloud for Europe achieve. However, if you mean a state sponsored scheme to build a European cloud to lock data in the EU and keep out US companies then no, for the following reasons:
- I’m always wary of protectionist policies, particularly given Europe’s history
- it must not act as Fortress Europe as this would be contrary to the attempts at creating a global economy through international bodies such as the World Trade Organisation
- despite the rhetoric, bureaucrats and national governments are normally not the best examples of how to implement successful technology projects
It would also not overcome the reality of state surveillance. GCHQ’s own surveillance programme, Tempora, is well-known following Snowden’s revelations. There have also been disclosures that Germany’s Federal Intelligence Service has contributed to NSA’s data collection and France’s Directorate General for External Security has been intercepting and storing French telephone and Internet communications. And don’t forget that, under the various mutual legal assistance treaties which national governments have signed, security agencies share information between them, including with the NSA.
6. Why don’t the legislators act quicker to help cloud?
Innovation happens faster than law making. It has always been so. Typically, until specific laws are passed to regulate an innovation, judges will apply any relevant existing laws, meaning there may be over regulation rather than under regulation in the short term. It’s important for legislators to strike a balance between regulating innovation to protect consumers without rushing laws and stifling the innovation. This supposed lack of relevant law hasn’t stopped US cloud developing. Nor are customers without adequate protection. Consumers are already well protected. Arguably it’s SMEs who need laws to help redress the balance and in the meantime they need to shop around. And read the contract terms before signing up – but a cloud lawyer would say that!
7. So, how do I prevent security agencies snooping on me?
- Avoid cloud altogether and buy electric typewriters to keep everything on paper on premise. That sounds a bit extreme.
- Address the problem at source, perhaps by curtailing surveillance powers or through better scrutiny? Obama’s announcement doesn’t give me much comfort that much will truly change.
- Run certain activities in the cloud, but keep sensitive data out of the cloud.
- Encrypt (or token-ise) sensitive data before transmitting and storing it in the cloud
Of course, these aren’t foolproof. The NSA has apparently been using tiny radio devices to get access to offline computers. It can already crack some encryption algorithms. The NSA reforms won’t prevent snooping but at least for now, their activities will be more closely scrutinised. Also, if all data is encrypted – not just at rest in data centres but in transit too – this will likely cause the NSA and other national security agencies to focus their resources on those targets who they genuinely believe are a threat to national security rather than the blanket approach they have up to now, as they can’t efficiently decrypt all data (yet).
8) Should I just stop panicking and carry on with my business?