Your Cloud Data is Safe…Right?

Last Friday Mr. Paron spoke to us about some of Microsoft’s developments in the cloud computing field. One of the areas he touched on was the security present at the data centers–multiple layers of biometrics, tall fences, scanners, and other methods to protect its customers’ data. These security features are quite impressive, and would protect the data center against physical breaches. The multitude of compliance standard certifications (74 listed on the Microsoft website [1]) also indicate security built in at the software level, protecting the data against unauthorized access.

The players in the cloud computing industry make a big deal about security, including against government attempts to gain access to their data. Google’s FAQ on data security states the following on government data requests:

Respect for the privacy and security of data you store with Google underpins our approach to producing data in response to legal requests. When we receive such a request, our team reviews the request to make sure it satisfies legal requirements and Google’s policies. Generally speaking, for us to produce any data, the request must be made in writing, signed by an authorized official of the requesting agency and issued under an appropriate law. If we believe a request is overly broad, we’ll seek to narrow it. [2]

Notice the language. Google stresses that it only complies with data requests from within the proper legal framework, and even then attempts to minimize the data exposed. AWS and Microsoft have similar language in their reassurances to customers. These guarantees should give customers reasonable expectation that their data will be safe.

The NSA’s Secret Room, Secret Courts

The cloud industry’s language would have you believe that they would fight back against unreasonable data requests. However, several examples exist where companies in the IT industry not only failed to fight back against these data requests, but were even complicit. Take the example of AT&T, which operates network switching equipment and datacenters for millions of customers, making them an integral part of the world’s data infrastructure. After Congress passed the USA PATRIOT Act, telecommunications companies began providing the NSA with information to bolster counterterrorism efforts. AT&T, however, took this to a new level. In 2006, a former AT&T employee named Mark Klein revealed that AT&T had permitted the NSA to set up a secret room in an AT&T switching center in San Francisco [3]. This allowed the NSA to collect data from millions of people without warrants. Unsurprisingly, this violated federal, state, and local laws on many different levels. Klein also revealed that similar “secret rooms” also existed in various other cities across the country. Edward Snowden’s leaks from 2013 also revealed another troubling issue: That even when warrants are issued, the orders are done in secret, by a secret court. These courts exist under the Foreign Intelligence Surveillance Act (FISA) in a completely opaque process [4].

These practices of government-industry data sharing were only revealed through leaks and lawsuits, all while companies promised its customers that their data would remain private. Granted, AT&T is not a cloud company. However, they handle massive volumes of data just like cloud companies do–and with more and more information moving into the cloud, it is not hard to imagine that the governments around the world have started looking to cloud providers as another source for intelligence gathering. There is already evidence that companies have provided data (willingly or unwillingly) in the past. Can we really be sure that cloud providers are able to keep our data private?

[1] https://www.microsoft.com/en-us/trustcenter/compliance/complianceofferings

[2] https://support.google.com/transparencyreport/answer/7381738?hl=en

[3] https://www.wired.com/2006/04/whistle-blower-outs-nsa-spy-room-2/

[4] https://www.nytimes.com/interactive/2015/08/15/us/documents.html

 

0

2 comments on “Your Cloud Data is Safe…Right?”

  1. > Can we really be sure that cloud providers are able to keep our data private?

    Unless you encrypt your own data before it enters the cloud, it seems the answer must be “no”. I like Apple’s iCloud approach to end-to-end encryption (see https://support.apple.com/en-us/ht202303 for details about how this is used for Home, Health, iCloud keychain, etc). These data are encrypted on your device before hitting iCloud and Apple can’t decrypt them. The approach seems sound, they we are still required to trust Apple as Apple completely controls the client code.

    0
  2. I like your thinking, even with all the disclaimers and terms/users agreements etc. There really isn’t anything there ensuring that cloud providers will keep your data private other than their word and your trust in them to actually abide by what they say. With all the interest in the data they collect and the large amount of revenue on the table for selling that data, it’s easy to see why companies may sometimes be led astray and perform illegal acts… its no surprise that the government may choose that path sometimes as well. Adam makes a good point that the only way to know this is happening for sure is by utilizing Apple’s approach and encrypting everything so it only travels from point A to point B.

    0

Comments are closed.