“Help! The NSA and GCHQ have been snooping on my data under Prism. I’m going to leave cloud and go back to on-premise as that’s the only way I can be sure to keep my data safe from prying eyes.”
If this is you, then before you abandon cloud, it’s important that you regain perspective.
1. What has been happening?
Edward Snowden is the most famous person of the moment. Opinion is divided as to whether he is a hero whistleblower or a traitor to national security (or perhaps even world security). Whatever view you take of him, he’s highlighted that the NSA and GCHQ have been using the powers available to them to get access to data. These revelations are continuing.
2. Are you kidding? Is that even legal?
This should not come as a great shock. Intelligence agencies snoop on your data. That’s how they gather intelligence. As I said previously in Patriot Act and Data Security: 8 Myths Busted, they have various legitimate snooping powers. The US Patriot Act is probably the best known and much of this data has been accessed under Section 215 of that Act. The NSA has also been using the Foreign Intelligence Surveillance Act Amendment Act. President Obama has said that NSA has acted lawfully and that this is a modest intrusion in individuals’ privacy and is justified to keep the nation safe. William Hague has said that GCHQ has acted legally and is not using its alliance with the NSA to get around UK laws.
President Obama has said that NSA has acted lawfully and that this is a modest intrusion in individuals’ privacy and is justified to keep the nation safe.
3. So the snooping is widespread?
Yes. In fact, there is even the sense in the US that it is easier to justify this snooping because it largely targets non-US citizens. The lesson from this is that intelligence agencies can and do snoop. Perhaps the only real surprise is how widespread this snooping is.
4. Shouldn’t we curtail these snooping powers?
Certainly, the widespread access to data has made many uneasy. The debate will rage for some time as to whether the access powers of governmental agencies should be curtailed or whether this is a concession to our privacy to protect national security. For the foreseeable future, at least, these powers will continue to exist.
5. Have cloud providers been participating in this?
Google, Facebook, Apple and others have denied that they have actively participated in the Prism programme or that they have an open back door for intelligence agencies to gather data at will. But Skype has admitted that it joined Prism before Microsoft acquired it allowing agencies to snoop on calls. The issue isn’t really which providers are actively participating and which aren’t. The issue, whether they are participating in Prism or not, is that intelligence agencies can get access to your data and they can compel the provider not to tell you.
6. So should I move back on-premise and abandon cloud as the only safe option?
These powers apply whether you’re in the cloud or not. Admittedly cloud makes it easier to get your data, but if a security agency wants to get your data it will find a way.
7. So it’s a hopeless cause then?
It is important to retain (or regain) perspective. It is widely known that the EU shares with US agencies information of those passengers who fly into the US but this has not stopped people flying there. These snooping powers will come under scrutiny but in the meantime the world will continue to go round and business will go on.
8. Ok, what should I do?
…Are you one?
Hollywood has long depicted all-seeing governments and some might say these revelations show this to be not so fanciful or restricted to conspiracy theorists. These powers are not new and it is unlikely they will be curtailed short term. As I said in my last blog, this snooping is unlikely to be targeted at the average business. But if you’re still not comfortable then this is what you should do:
Classify your data according to importance: ordinary data needs little protection; sensitive data needs higher standards of protection
Protect your data according to its importance: consider if encrypting your sensitive data is appropriate whether you keep it in the cloud or not.
Use cloud wisely: consider keeping your sensitive data on premise if it gives you comfort but if you have encrypted it, it shouldn’t matter if you keep it in the cloud or not. Also, if your email is not encrypted then moving your email server into the cloud probably won’t make things worse
Clearly the revelations about NSA and GCHQ make it appear that ‘Big Brother’ is watching us. But that doesn’t mean that we should all abandon cloud. Nothing has truly changed – we’re just all more aware of what our governments are doing and we should act accordingly to protect our data.
Cloud Lawyer and Commercial Contracts