Cybersecurity and privacy expert Peter Swire wrote 'From Real-Time Intercepts to Stored Records: Why Encryption Drives the Government to Seek Access to the Cloud.' The more we encrypt and lean on a cloud environment, the more accessing stored data in the cloud is like pushing the "Easy" button for the government to get its hands on plain text versions of emails, chats and other digital communications. It is in fact another cog in this “golden age of cyber-surveillance,” so how exactly is the FBI “going dark” again?
Your online privacy has never been less private; try to protect it with encryption and the government steps around you via stored records in the cloud. While not everyone encrypts data stored locally on their hard drive, encryption is becoming the default for Internet communications. If it is encrypted, then it seems to be interpreted as a threat by government and law enforcement agencies. In fact, the more you take advantage of services that encrypt your data, the more the government breaks into your cloud. "If you are trying to protect yourself from the government, then having it in the public cloud makes it easier for them to get it," said Stelios Sidiroglou-Douskos, a research scientist at MIT's Computer Science and Artificial Intelligence Laboratory.
While the cloud environment is supposed to be more secure and cut enterprise's costs by allowing data to be accessed from anywhere, a single breach can result in a devastating amount of stolen data. Even when you delete the data, how do you know it is really deleted? Yes you can read the privacy and data retention policies, but it's a bit of a gray area where you have little choice but to trust the provider. Trusting businesses who offer us freebie cloud services in exchange for us being the product is not necessarily the wisest move; it will have privacy experts duking it out on the data retention battlefield. Despite the increased use of online encryption, accessing stored data in the cloud is like pushing the "Easy" button for the government to get its hands on plain text versions of emails, chats and other digital communications.
Peter Swire served as Chief Counselor for Privacy under President Clinton, serves as a Policy Fellow for the CDT, is a professor of law at Ohio State University, and is leading a project on government access to personal information for the Future of Privacy Forum to name but a few of his privacy, cybersecurity and technology achievements. He's written extensively about surveillance, privacy and encryption such as "From Real-Time Intercepts to Stored Records: Why Encryption Drives the Government to Seek Access to the Cloud." While he does not offer any solutions to protect our privacy from records stored in the almighty cloud, all of this surveillance access also does not make sense with the government's "going dark" arguments.
More people are turning to VPNs, encrypted VoIP like is used by Skype, and more sites are using SSL. The increased use of SSL is great from cybersecurity and privacy perspectives; banks, ecommerce websites and services like Dropbox all use SSL, but that doesn't imply the government can't get its hands on the key to unencrypt the data. It's tough to find a free and secure email provider that will truly protect your privacy. Webmail providers like Hotmail and Gmail encrypt when sending email, yet Swire says cloud webmail providers and server owners retain "the technical ability to read the plain text of the emails."
According to Swire, "The widespread adoption of encryption for communications affects the choices for government agencies seeking lawful access. Logically, there are four ways for agencies to access communications":
"1. Break encryption in transit." Although the NSA "made a significant breakthrough against the globally used Advanced Encryption Standard" (AES), for most law enforcement agencies breaking encryption in transit is not feasible. Big Brother may choose use fake digital certificates to eavesdrop by hiding in your browser, but encrypted data in transit is so much more challenging to snag than data stored in plain text and resting in the cloud.
"2. Intercept before or after encryption" includes methods such as physically breaking into a building to install bugs, keyloggers or other surveillance devices. Yet those methods are too risky and costly to government agencies unless the target is a high priority. Another way to remotely intercept communications in real-time is via virtual force and Trojan horse search warrants. Other forms of stealthy interception include hacking into a target's computer. Secret surveillance conference vendors such as the Italian Hacking Team make this easy by selling services that allow intelligence agencies to monitor 100,000 targets at a time.
"3. Assure access in unencrypted form." Swire writes, "CALEA would assure access is wiretap-ready and can be read in unencrypted form." It opens the way to eavesdrop on calls, but government agencies continue to push agendas to stop them from "going dark." Law enforcement and government want "wiretap-ready" backdoors in all communications as apparently we are to believe that terrorists are hiding everywhere such as inside encrypted voice and chat channels found in online games like WOW that are outside the scope of CALEA. Intelligence agencies have issued warning that terrorists are hanging out in online games like WOW and Second Life and taking advantage of encrypted VOIP chats. The encrypted player-to-player text and VOIP chats in the games allegedly offer "convert communications" and safe harbor for people intent on "state-sponsored espionage." Law enforcement maintains that gangs and terrorists recruit and "plot evil" over Xbox and PS3.
"4. Access after the fact, in stored form, often in the cloud." Ding, ding, ding and clearly the Easy button winner for access. Swire writes, "A major descriptive conclusion of this paper is that a wide range of law enforcement and national security agencies will face large or insuperable obstacles to the first three methods. These agencies will thus increasingly depend on access to stored records, notably those stored in the cloud."
From government agencies like the CIA, U.S. military, huge corporations like Microsoft, to regular folks, everyone is betting on the cloud. Strategy Analytics predicted "U.S. spending on cloud services will grow from $31 billion in 2011 to $82 billion by 2016." Some experts suggest the cloud is a potential gold mine for cybercriminals, but it is definitely the ultimate jackpot for law enforcement. The more we turn to the cloud to store our data, the more accessible it is to government and law enforcement. In reality, even if encrypted, the cloud is neither private nor secure in that regard. It is in fact another cog in this "golden age of cyber-surveillance," so how exactly is the FBI "going dark" again?
Subscribe to the blog to receive updates about:
AltaFlux understands what you and your organization need to excel, and can deliver rapid innovation to unleash your full workforce potential. Together, we can empower your business by streamlining, transforming, and optimizing your key HCM and talent processes with industry-leading SAP SuccessFactors technology—enabling you to adapt at the speed of change.
AltaFlux Corporation is a global HCM cloud consulting partner based in Troy, Michigan. We empower organizations by streamlining, transforming, and optimizing key human capital management (HCM) processes with industry-leading HCM cloud solutions like SAP SuccessFactors, Benefitfocus, WorkForce Software and Dell Boomi.