Tinker, tailor, cloud provider, spy
Foreign agencies such as the FBI may soon have more power to access cloud data. Fleur Doidge asks if the channel should be concerned about customer confidentiality
In the US, the FBI is fighting to extend its access to data in the cloud when it is hosted by US companies, even if the customer is based abroad. Monitoring all kinds of cloud storage and internet communications in real time is a top priority for 2013, it has said.
Currently, to spy on online communications such as email, the agency has to request permission by making a Title III order.
An expansion of surveillance in the cloud has raised concern in groups such as the Electronic Frontier Foundation and others concerned about global privacy and liberty online. Some have noted that the expanding internet of things means that one day the FBI, CIA and their ilk could technically even spy on you through your dishwasher.
Foreign powers can spy on cloud data held in the EU, ZDNet writer Zack Whittaker confirms, in spite of the increasingly rigorous EU data protection laws.
Business documents, health records and government files are not immune.
Cloud giants may have to hand over such data to their governments if asked for it, for example, while new laws under consideration suggest the US government may be able to monitor or harvest data without permission as well.
Secret services, of course, may not restrict themselves to doing only what they are technically allowed to do anyway.
Ian Kilpatrick, chairman of security VAD Wick Hill, says this has become something that should be of concern to businesses.
"As in the case of China, lots of snooping is for commercial advantage - commercial espionage. So the classic cop-out that anyone who has nothing to hide should not be worried about anti-terrorist activity is misguided," he says. "The price of freedom, as Andrew Jackson said, is eternal vigilance."
He notes that even the US has a "considerable record of extra-territoriality", not always benign, and that the American Civil Liberties Union claims that spying on US citizens without a warrant has sharply increased in recent times.
"Once something is in law, we are dependent on the goodwill of future generations of administrations not to misuse it," Kilpatrick says.
"UK companies are likely to have to depend on the greater concerns and scrutiny of European governments to protect our freedoms. We do have MEPs - this is a good opportunity for them to earn their keep."
Greater awareness needed
Kilpatrick says it has not been an area with which the channel has become much involved, but greater awareness of the issues is relevant.
"The ability to have a wider discussion that goes beyond just the palliative comments provided by vendors is important. It is a much wider issue than the cloud, but the cloud is the area of greatest concern because of the absolute ease of access to the data - commercial or otherwise," he concludes.
Dietrich Benjes, UK and Ireland country manager at security software vendor Varonis, says the moral issue as well as the practical problems require consideration, even for companies that operate as third-party handlers of data.
Governments spying on their citizens is "abhorrent" but nevertheless it can and does happen, and IT companies need to consider the potential ramifications of such activity, he says.
What if, for example, a company through circumstances beyond its control is seen to be guilty by association and thus inadvertently becomes liable for something done by a partner or customer?
Sometimes, Benjes agrees, ignorance can be no defence - and surely that is even more the case in a world of around-the-clock "big data" analytics.
"It can be something that goes against an organisation's own conception of what would be a data breach," suggests Benjes. "And then there are things such as Dropbox, where 20 per cent of users do so for work purposes."
While you cannot necessarily prevent governments delving into databases or similar, you can protect data to some extent - perhaps by relying on local companies and datacentres, or storing everything potentially sensitive in a non-networked or even non-digital way.
For those who find such suggestions extreme, many standard security practices and relying on EU-standard "safe harbour" datacentres may all prove helpful, if not infallible.
Complying with relevant regulations and making customers aware of potential issues, showing that you have done what you can, will go a long way towards protecting the IT provider in the case of an information leak. "A number of things can be done," Benjes says.
Phil Lieberman, president and chief executive of Lieberman Software, notes that post 9/11, more than ever, governments have aimed to extend their sovereign powers to control entities including law enforcement, citizens and corporations.
"Whether this is ‘right' is immaterial as these are now lawful actions," he agrees.
He says that outsourcing has inherent risk, especially when it comes to the cloud. Governments, employees and contractors may well snoop without your knowledge, and keeping secrets becomes harder when there are more hands-on systems involved.
"The old saying is that if you have nothing to hide, you have nothing to fear. [But] it is easier to keep things private in a single family home than an apartment with thin walls."
Lieberman says reaping the benefits of cloud can mean compromising on privacy and security. Things can change in situ anyway - cloud providers may go out of business, change their rates, or hire criminals to manage the resources.
"New furnishings do not change the neighbourhood. It looks nice until the neighbours get noisy or others in the cloud environment are up to no good. Expect the police to stop by and check on things," he says.
Customers and channel providers need to do due diligence on contracts and deals in the first place.
"I am amazed at how few people read contracts," Lieberman finishes. "The cloud is not a bargain or a deal - only a business model that may or may not work for you and your organisation. Sometimes employees, your own servers, and your own software are better than contractors and resources in other countries."
Frank Jennings, cloud lawyer and partner at DMH Stallard, says governments around the world will certainly engage in surveillance activities regarding cloud data, so it is not a question of whether they should be able to do so. "It's a fact," he says.
And often, like with CCTV, it's about keeping people safe.
If companies lose exclusive access to data, ramifications may be limited if there is in fact nothing to hide. If the data was accessed by a competitor, and business advantage was lost, that might be of more concern, he agrees. And what if the reseller had agreed to service levels that meant it had to keep its customers' data completely confidential?
"A company can put a contractual obligation on the provider that they will not release that data, and that if they do, they will notify it. Any requirement to comply with the law [and] release that data would remain within the contract," Jennings says.
Governments can order data to be revealed that has been stored on-premise or in other ways - generally speaking the same laws and conventions will apply - so it is not the case on the whole that cloud exposes customers to a greater level of risk in this area. Meanwhile, standard practices including encryption remain of benefit.
"I'm talking about general access to data, rather than specific spying activities or other similar practices," Jennings adds.
"You might be able to slow that down, but ultimately [governments] will get what they want, because they are infinitely better resourced."