Security Advisor

Will Government Transparency Ease Surveillance Fears?

• By Jeffrey Schwartz
• 10/11/2013

As the disclosure of PRISM and other data surveillance activities by the U.S. government threatens the use of the cloud, Microsoft and other telecommunications, Internet and IT services providers are calling on the government to let them be more transparent with their customers.

Immediately after Edward Snowden claimed Microsoft was letting the National Security Agency (NSA) directly access data from its various services, a charge the company denies, Microsoft General Counsel Brad Smith asked Attorney General Eric Holder to let the company "share publicly more complete information about how we handle national security requests for customer information. We hope the Attorney General can step in to change this situation."

This is a pressing issue for all cloud providers as they seek to assure business customers and consumers alike that they're protecting their data. In August, the Cloud Security Alliance (CSA) held an online roundtable whose participants agreed on the need for improved transparency. "Today, there's no mechanism in place for cloud customers, or any user organizations that rely on these cloud providers, to know when their data was exposed," said event moderator Elad Yoran, VP of finance with the New York City chapter of the CSA and the CEO of Vaultive, a provider of a cloud encryption service.

"This is definitely a hot topic for me," added panelist Peter McGoff, general counsel of Box, the popular cloud storage provider. "One thing we look at as a cloud provider, and what we're asking for, is more transparency in the process. We want to be able to communicate to customers at a minimum the numbers of such requests that we get in and what our process is. Right now, it's not quite clear that we have that flexibility."

McGoff did offer that Box hasn't received an overwhelming number of warrants for enterprise data. Until early August, the Obama administration had resisted supporting changes in the disclosure policies, but the President proposed the government step up its efforts to be transparent. How that proposal plays out remains to be seen, but McGoff sees it as a move in the right direction.

"It's a good first step," he said. "I felt much better with President Obama coming out and putting a bright light on this." Also on the CSA webcast was Robert Brammer, a senior advisor to the Internet2 consortium and CEO of Brammer Technology LLC, who agreed. "The review the President has talked about, with the intelligence process [and] with one of the objectives to create more transparency, will improve the level of dialogue on this subject," he said.

The Obama administration also released a white paper (available here) that lays out how telecommunications providers access and analyze metadata gathered from calling information.

"This information is limited to telephony metadata, which includes information about what telephone numbers were used to make and receive the calls, when the calls took place, and how long the calls lasted," according to the white paper's executive summary. "Importantly, this information does not include any information about the content of those calls -- the government cannot, through this program, listen to or record any telephone conversations."

While that may be true, there are plenty of skeptics. Only 10.1 percent of those surveyed by Redmond magazine believe the government is only accessing metadata. While Snowden revealed surveillance efforts that were previously not public, much of the concern that has surfaced is old news, added Francoise Gilbert, founder and managing director of IT Law Group, a law firm focused on domestic and international information privacy and security.

During the CSA roundtable panel discussion, Gilbert pointed out the U.S. government has had surveillance initiatives in place dating back to the late 1960s, and the Foreign Intelligence Surveillance Act (FISA) was initiated in 1978."The topic of government access to data is not something new," she said. "There have been many iterations and many amendments to these laws to keep up with technology and technology progress, and there has been a movement for the past two years to amend one of these laws -- the Electronic Communications Privacy Act -- to also bring it to the 21st century."

Gilbert also pointed to due-process requirements such as the Wiretap Act. While critics of the Foreign Intelligence Surveillance Court (FISC), created under FISA, believe the judges rubber-stamp most law enforcement warrants, Gilbert argued that United States citizens have more protections than those in many foreign countries, such as the United Kingdom.

"There is no FISA court -- they just come in and have access to your information," she said of many foreign counties. "In general, I'd say the laws are definitely more favorable to the governments in foreign countries, especially in the United Kingdom," as compared to the United States, she explained.

This may be true, but there's a growing chorus of critics in the United States who don't view the current laws -- including the Patriot Act -- as very favorable to their privacy. While the government argues its surveillance efforts have thwarted potentially deadly attacks, 71 percent of respondents to the Redmond survey don't view surveillance efforts such as the PRISM program as a necessary cost of national security. The panelists during the CSA webcast concurred that the feds are going to have to look at becoming more transparent.