PRISM means that you cannot trust US cloud providers

Alastair Aitken 18 June 2013 0




Without wishing to sound like man-in-the-pub: if the NSA’s PRISM program is so effective then how come it couldn’t detect that someone with access to it was leaking details of its existence? Mind you, at an alleged cost of only $20 million, for failing to predict the Boston bombing it looks cheap when compared with the classified, yet estimated, umpteen billion dollar budget of the entire NSA, which also failed to predict the Boston bombing.

Did I mention that your data is not safe?

Putting aside the arguments over whether it’s right to give up liberty for safety, the lessons from the PRISM revelations for the IT industry can hardly count as news. Here’s a restatement: if you’re using a US cloud provider, your data is not safe from PRISM. If you’re using a cloud provider that has a US office, your data is not safe from the PATRIOT Act. It may even be the case that if your organisation or your cloud provider has a .com domain then you and your data is not safe from US jurisdiction. In fact, you’re not safe either because by allowing it to be exposed to US authorities you’re probably contravening your local data privacy laws.

It’s not all doom and gloom… oh, it is

Hogan Lovells White Paper “Governmental Access to Data in the Cloud Debunks Faulty Assumption That US Access is Unique” examines government authority to access data in the cloud in Australia, Canada, Denmark, France, Germany, Ireland, Japan, Spain, United Kingdom, and the United States. It argues that each jurisdiction offers fairly similar authority to access cloud data. So the fact that governments are accessing cloud data is not news either but doing so without explicit executive consent is.

Nosy neighbours

A lot of folk aren’t keen on allowing other people to see what they do. If it weren’t a problem then there would be not locks on our doors, no envelopes for letters and curtain manufacturers would be having to emphasise their products heat retaining properties rather more than they do.

My local newspaper has been conducting a poll on its web site asking readers whether they value security over privacy. One pro-security respondent said that he “had nothing to hide”. But one wonders if he really means that – if you truly have nothing to hide then you won’t mind bragging about your salary, expressing your true feelings about your current partner or letting all-and-sundry examine your web browser’s history.

The reality is, people screw up

I’ve worked for government bodies and in my experience data security is not really a government forte. Laptops, USB keys, hard drives, in fact, any removable media with personal information would regularly go missing. Sometimes the stories of these mishaps made it to the press but mainly they didn’t. Similarly, staff would regularly search databases for information about former acquaintances or notorious figures. This kind of idle curiosity cum stupidity is not limited to government organisations.

Decisions, decisions

Your choice as an IT professional is to make sure that you know which legislation you and your cloud provider are subject to.

In a professional capacity, you probably have no issue complying with the law in whichever country you happen to be doing business in. However, you do have a problem with complying with local jurisdictions and also some random third-party government body in a foreign country who have stolen their logo from a dodgy 1970s progressive rock band.




Alastair Aitken (124 Posts)

As a contract developer and manager I’ve worked in a wide range of enterprises in a variety of countries where I’ve encountered everything from great work, awful work, bizarre work, all the way down to quasi-legal work. If you think that you recognise your own organisation within my articles then you’re undoubtedly wrong, where you work isn’t that unique.

Leave A Response »