Would Transparency by Feds Ease Fears Over Cloud Surveillance?
When President Obama last week called for the government to be more transparent about its data surveillance activities, critics saw it as a step in the right direction, though it's unclear how, when or if that will happen. As I noted at the beginning of the week, claims by Edward Snowden that Microsoft may be feeding the National Security Agency customer data -- which Microsoft insists is not true -- is having a chilling effect on customer confidence that data is safe in the cloud.
Yet well before Snowden disclosed surveillance activity such as PRISM, the Cloud Security Alliance (CSA) had established mechanisms for service providers to disclose their data-protection practices. A key initiative was the Security, Trust & Assurance Registry (STAR), launched by the CSA two years ago, which is where cloud providers like Amazon and Microsoft have provided audited security controls.
Now that Snowden has unleashed a flood of classified information that points to PRISM and the NSA's widespread use of surveillance to thwart terrorism, the CSA has sprung into action, calling attention to its efforts and leading the discussion on the effect of surveillance on cloud security.
The Snowden leaks come just as IT organizations have started to become more comfortable with the notion that data can be securely stored in the public cloud. As I pointed out Monday, less than a third of those surveyed by the CSA in wake of the Snowden leaks believe there is adequate transparency on how often the government accesses their information. That lack of transparency was a recurring topic in the CSA's first-ever town hall panel held Monday.
"Today, there's no mechanism in place for cloud customers, any user organizations that rely on these cloud providers, to know when their data was exposed," said moderator Elad Yoran, VP of finance with the New York City chapter of the CSA and the CEO of Vaultive, an up-and-coming provider of a cloud encryption service. This is an issue Yoran has studied quite intensely for obvious reasons.
Not only is there a lack of transparency by the NSA and other U.S. law enforcement agencies, but many key cloud providers have complained that their hands are tied in that they're restricted in what they're permitted to disclose.
"This is definitely a hot topic for me," said panelist Peter McGoff, general counsel of Box, the popular cloud storage provider. "One thing we look at as a cloud provider, and what we're asking for, is more transparency in the process. We want to be able to communicate to customers at a minimum the numbers of such requests that we get in and what our process is. Right now, it's not quite super clear that we have that flexibility."
McGoff did offer that Box hasn't received an overwhelming number of warrants for enterprise data.
Until last week, the Obama administration has resisted supporting changes in the disclosure policies, but the president is now proposing that the government step up its efforts to be transparent. The proposal was vague and opposition from both parties indicated nothing will change in the near term. However, panelists during the hour-long CSA town hall webcast said Obama's proposal was a positive move.
"It's a good first step," Box's McGoff said. "I felt much better with president Obama coming out and putting a bright light on this."
Robert Brammer, a senior advisor to the Internet2 Consortium and CEO of Brammer Technology, agreed. "The review the president has talked about with the intelligence process with one of the objectives to create more transparency in the process will improve the level of dialogue on this subject," he said.
While calling for more transparency, Brammer argued there's a lot of misinformation, if not hysteria, about government surveillance activities. "Some of the emotional and superficial and narrowly based commentary that's come out in the media -- either in the newspapers or Sunday morning talk shows -- frankly makes this problem worse," he said. "We need a substantive dialogue on the issues and not a bunch of emotional sound bites."
One substantive point, Brammer noted, was a whitepaper (PDF) released last week by the Obama administration that lays out how telecommunications providers access and analyze metadata gathered from calling information.
"This information is limited to telephony metadata, which includes information about what telephone numbers were used to make and receive the calls, when the calls took place, and how long the calls lasted," according to the whitepaper's executive summary. "Importantly, this information does not include any information about the content of those calls -- the government cannot, through this program, listen to or record any telephone conversations."
While Snowden revealed surveillance efforts that were previously not public, much of the concern that has surfaced is old news, added Francoise Gilbert, founder and managing director of IT Law Group, a law firm focused on domestic and international information privacy and security. The U.S. government has had surveillance initiatives in place dating back to the late 1960s, and the Foreign Intelligence Surveillance Act (FISA) was initiated in 1978, Gilbert pointed out during the CSA panel discussion.
"The topic of government access to data is not something new," she said. "There have been many iterations and many amendments to these laws to keep up with technology, technology progress, and there has been a movement for the past two years to amend one of these laws -- the Electronic Communications Privacy Act -- to also bring it to the 21st century."
Gilbert also pointed to due-process requirements such as the Wiretap Act. While critics of the Foreign Intelligence Surveillance Court (FISC), created under FISA, believe the judges rubber-stamp most law enforcement warrants, Gilbert argued U.S. citizens have more protections than those in many foreign countries such as the United Kingdom.
"There is no FISA court -- they just come in and have access to your information," she said of many foreign counties. "In general, the laws I would say are definitely more favorable to the governments in foreign countries, especially in the U.K.," than in the United States.
Perhaps, but there's a growing chorus of critics in the United States who don't view the current laws along with the Patriot Act as very favorable to their privacy. While the government argues its surveillance efforts have thwarted potentially deadly attacks, even the panelists on this week's CSA webcast concurred that the feds are going to have to look at becoming more transparent.
I'd say that's especially true in wake of the latest leaks by Snowden, reported yesterday by The Washington Post. The report reveals an audit last year that found that the NSA overstepped its legal authority by erroneously tapping both foreign and American targets here in the U.S., typically the result of typographical, operational or computer errors. The audit cited 2,776 such errors, Snowden told the Post. According to the report, Snowden shared the documents from the audit with the newspaper. An anonymous NSA source sanctioned by the White House told the Post "We're a human-run agency operating in a complex environment with a number of different regulatory regimes, so at times we find ourselves on the wrong side of the line."
What effect have the disclosures of programs like PRISM had on your plans to use public cloud services? If you haven't already, please take a few minutes to participate in our brief survey, which can be accessed here.
Posted by Jeffrey Schwartz on 08/16/2013 at 4:25 PM