Companies should 'just assume' governments will access their data and work from there

Profile picture for user ddpreez By Derek du Preez March 28, 2014
Summary:
Google today published its 9th Transparency report, which showed that government requests for user information have increased 120 percent since 2009

Love him or hate him, Edward Snowden has brought the issue of privacy right to the top of the business agenda. Things that people used to suspiciously wonder about and get scoffed at for questioning are now cemented as fact, and we live in a world where we know Big Brother is watching. I'm not sure how much can be done about this if you want to continue to engage with customers via the internet and take advantage of new-age digital delivery models, but it's an interesting discussion nonetheless.

Edward Snowden
Edward Snowden

Although work is being done to implement some sort of set of global standards around data snooping, largely through a number of internet giants putting pressure on governments, it is going to be a number of years before this all settles and we feel like there is fair practice in place. However, even when that happens, will we really know what is going on behind closed doors? Probably not. But anyway, I was interested to see today that Google has released it's 9th Transparency report, which details the number of state requests it gets from governments around the world and how many of these requests were successful.

In a blog post, Google said that the number of requests it has received has shot up 120 percent since 2009. I'm not sure how surprised I am by this, but it is quite useful to get some hard facts about which countries are making the most requests and how often Google is handing out the data. However, Richard Salgado, legal director at the internet giant, said the company tries to push back as much as possible.

He wrote:

“Though our number of users has grown throughout the time period, we’re also seeing more and more governments start to exercise their authority to make requests.

“We consistently push back against overly broad requests for your personal information, but it’s also important for laws to explicitly protect you from government overreach. That’s why we’re working alongside eight other companies to push for surveillance reform, including more transparency. 

“We’ve all been sharing best practices about how to report the requests we receive, and as a result our Transparency Report now includes governments that made less than 30 requests during a six-month reporting period, in addition to those that made 30+ requests.”

The list – no surprises who comes out on top

Okay, so it's going to come as no shock to anyone that the US is making the most requests to Google for its customer data. It made 10,574 user data requests in the six months to December 2013, for which Google handed out data for 83 percent of those requests made. The US is also the second most successful country in getting the data off of Google, only to be beaten by Finland (however, given that Finland only made 13 requests I think it probably doesn't deserve too much attention).

cooperating-governments_usa_tec_flags
The US was followed by France with 2,750 requests made in the six month period, with a 51 percent success rate, then Germany with 2,660 requests and a 40 percent success rate, then India with 2,513 requests and a 66 percent success rate, and then the UK with 1,397 requests and a 69 percent success rate. All of the usual suspects making an appearance.

Although these requests are made under the assumption that the government's need the data for criminal investigations, it will still make many businesses feel uneasy that the likes of Google have to succumb to so many government requests for data. We saw recently in the UK how a management consultancy company bought some data from the NHS and then uploaded it to Google's cloud to run some tests, which was met by outrage from a wide variety of privacy campaigners and the general public. People are very uneasy about US companies holding data in a post-Snowden world.

However, is this apprehension justified and should companies be locking their data down on premise or keeping it in country?

Assume it's happening and move on

Our very own Phil Wainewright has written about the misplaced belief that the cloud is less secure than on premise, so I'll leave that be for now. However, I was interested to hear a cloud lawyer speak at this week's Think Cloud for Government conference in London, where he pretty much said that company's need to get over this, because government's will get your data if they want to.

Screen Shot 2014-04-03 at 09.57.05
Frank Jennings

Frank Jennings, a partner at DMH Stallard, said that since the Snowden revelations there has been a lot of fretting amongst businesses about putting data into a US cloud, but that there is a lot of confusion about what can be done to prevent your company data being snooped on.

“People forget GCHQ had its own Tempora programme, which is exactly the same as PRISM. We also forget that there are mutual legal assistance treaties, which allows each of these national security agencies to share data between them. But it's not just NSA and GCHQ, it's the German and French governments, and all the others. 

“Are we all a bit too paranoid about this now? Yes. As far as I'm concerned Edward Snowden has given truth to the myth that governments are snooping on my data. Nothing has changed, they've been doing it for years, nothing is about to change.”

Maybe Jenning's views aren't exactly comforting to those worried about data privacy, but he argues that if you assume that the government's are looking at your data, regardless of where it is, then you can work from there and put what best practice security measures you can in place.

He said:

“You should probably just assume that they are going to get access to your data and work from that principle. Then take actions to keep your data secure, through encryption, tokenization, or other measures. 

“If everyone starts encrypting their data, then hopefully the NSA will focus a bit more closely on reasonable suspicion of criminal terrorist activity because it doesn't have the resources to decrypt everything.”