When a person says their data is ‘in the cloud’, it normally means they have no idea where it’s being stored, how it’s being stored or who’s administrating it. What we can be certain of is data is no longer private once it’s handed over to a third party. The other week we learned the US government is able to arbitrarily access personal data stored by US companies operating in the European Union, under the latest version of the ‘Patriot’ Act. Around the same time DropBox revised its terms of service, and its employees are able to reverse the encryption for any account and access customers’ files. Another service provider I came across at Infosec 2011, the name of which I can’t recall, already provides a backdoor to allow law enforcement quick administrator-level access to any given account.
Cloud computing cannot offer the same level of privacy as local storage does for the average person, and this lack of privacy could undermine trust and development in the whole industry. Richard Stallman and founder of Oracle, Larry Ellison, have expressed pretty low opinions of cloud computing in general and the way it’s bring marketed for that reason.
The laws regarding cloud computing seem complex and uncertain, and that’s something I’ll be reading up on in the near future. From what I’ve already seen, there’s little legal protection in the US after someone hands data over to a third party by uploading it to the cloud, so organisations really should get the advice of proper legal experts before signing any deal. As for the rest of us, we’re presented with the terms of service that basically state we’re giving up our rights when uploading our files.
Richard Stallman explained last year in The Guardian:
‘In the US, you even lose legal rights if you store your data in a company’s machines instead of your own. The police need to present you with a search warrant to get your data from you; but if they are stored in a company’s server, the police can get it without showing you anything. They may not even have to give the company a search warrant.’
But there are ways of adding a few layers of protection to our data.
A cloud service is a good solution for making non-private data accessible from any Internet-connected client, and where the user has no problem with it being open to inspection. The best policy is to be very selective about what to upload over the Internet.
Private data can instead be encrypted and carried on a storage device. Although there’s the risk of the device being mislaid, the data itself is very unlikely to fall into the hands of someone with the determination and resources to break the encryption.
Keep it Personal
The web browser, as everyone knows, retains and stores session data somewhere on the local system. This isn’t so much an issue with a personal computer, unless it gets seized and examined, but with public/shared computers everyone has access to the same web browser, and under certain conditions they can access each others’ accounts.
The answer to this is to use a separate web browser to everyone else. There are several browsers freely available that will run off a USB drive or MP3 player, and any session data will be stored on the device’s file system.
In theory, a secure HTTPS connection will encrypt traffic between the client and server, and this is good when both are trusted. It should be common practice these days when using a shared network, especially over WiFi. However, it’s possible for a third party to impersonate the server and make it appear there’s a secure connection to the real thing. It’s important to check the server certificate is valid when using HTTPS.
Bruce Schneier summed up the answer to most our privacy concerns in one statement – ‘Encrypt everything’. Chosen and implemented properly, encryption can protect our data from all kinds of warrantless searches and invasions of privacy, wherever it’s being stored. That’s not to say there aren’t ways of breaking it – there are several time-consuming ways of getting massively parallel processing to do that. What it does protect against is arbitrary access.
Secure connections only protect data between points A and B. Further measures are needed to protect the data while it’s stored on the remote server. Some providers will boast their own encryption and key management, but that’s all quite useless if it allows access without their customers’ permission. Backdoors are major weaknesses in cryptosystems that get exploited sooner or later. Encryption must be done by the client prior to uploading the data for it to be trusted.
One way of doing this is to convert a directory to a .zip archive before properly encrypting it rather than using the default .zip password protection. Ideally the encryption program will be open source and trusted, such as GPG. I also understand TrueCrypt is pretty good.
With a little research and skill, anyone can have an effective system of encryption and key management on a very low budget. There are also some decent enterprise key management systems, like the ones developed by Thales, that larger organisations can use for this purpose.