August 6, 2013
Amidst the revelations of widespread Government spying on domestic and global internet communications have come the expected opportunistic claims of this being an immense boon for cloud providers outside of the US. Every man and his dog (and a huge number of European-based cloud vendors) have been jumping up and down suggesting that PRISM shows that only hosting outside of the US (and, usually, specifically with said provider) gives users any sort of protection from surveillance.
Just the other day I got an email from a group of students out of a university in Germany that has launched a nonprofit – BlockPrism.org. According to the email, the goal of BlockPrism is to encrypt messages in social networks. Said the founders:
The NSA scandal has shown that there is a great demand for secure communication on the Internet. While the cryptographic technology to make this possible has existed for some time, encryption has not been widely adopted because it can be too complicated. We want to solve this problem by creating programming tools that allow seamless integration across social media, without the user having to go through any trouble to encrypt his or her messages.
Obviously not concerned by Federal inspection of their funding data, the students have launched a campaign on crowdsourcing site Indiegogo to fund the further development of the project. Sigh…
While it might burst a few non-US companies’ bubble, it’s naïve to think that by simply moving the site of your data center away from the US you’ll miraculously be protected from all of this stuff. Neither will simply choosing a vendor that isn’t a US corporation. Here’s why…
Your Government is in on it too
For those customer who smugly tell you that they’re on the (insert a non-US jurisdiction) cloud and accordingly they’re safe, tell ’em to wise up. Recent revelations in my own country, New Zealand, have shown just how much other Governments are in cahoots with the US. While the NZ Government is part of a generally known surveillance operations, again it’s a fair bet that other, less identified Governments are also. And even if your Government swears black and blue they don’t help the US spy, it’s highly likely they’ve got their own surveillance programs running – national security and all that. The notion of data on the internet only being accessible by the sender and the recipient is, in my view, largely a fallacy.
They can sniff ALL the pipes
Call me a conspiracy theorist you may, but does anyone really believe that the only way the NSA can access data is through vendor agreement? These shadowy organizations (and you can bet there are far more shadowy ones that the public hasn’t even heard of yet) likely have access to all the international pipes – unless you or your vendor can offer a dedicated pipe (and I’m talking dedicated physical here, not some dedicated capacity within a generic fiber), chances are the authorities have access to all those bits you’re sending down the pipe. Ah, you say, that’s fine, ‘cos our stuff is encrypted. Not so fast…
Encryption was invented for these guys, it’s a safe bet they can decrypt several generations ahead of where encryption technology stands today. My compatriot, the late, great Barnaby Jack famously showed how he could access an ATM and make it spit out money. Before his untimely death he was going to showcase his new found abilities to hack medical devices. If a hacker, and a lowly Antipodean hacker for that matter, can bypass the best security medical device makers have, just imagine what these shadowy agents can do – well funded and with the smartest startups, best engineering and latest research that exists.
Summary – The data is out there, and it’s being observed
I’m pretty adamant that the spooks, wherever they may be, have access to the pipes on which your data is transported. They likely have the ability to decrypt even the most complex encryption techniques and they have some of the best big-data analytics that money can (or can’t) buy and hence have the ability to make sense of this mass of information. Do I care then that federal agents can likely know my bank account, the private online rants I have about some people or the sweet nothings my wife and I transmit electronically? Actually not really. While there is indeed a conceptual case to be made for a breach of human rights to privacy, that is an argument that, while excellent as an intellectual debate, is largely moot. The cat is out of the bag, the emperor has no clothes, the horse has already bolted from the stable and the new normal is that some precocious girl genius was plucked out of a college somewhere to go work for an organization you and I have never heard. Said girl genius is right now perusing my data and knows almost as much about me as I do myself. Frankly, I don’t really care…