An EPIC fail over NSA and the 'high risk' cloud

Profile picture for user slauchlan By Stuart Lauchlan November 7, 2013
Summary:
How to deal with the NSA problem? Sensible debate or over-react by calling the cloud unsafe? EPIC knows which option to choose: the wrong one!

uat_025361
Marc Rotenberg

Perhaps it is time to rethink the cloud computing model.

The risks are too high.

The safeguards are too weak.

And the companies are not prepared to carry the responsibility of gathering so much user data.

WTF? Are you for real? Who is this guy writing in the New York Times?

Oh, it’s Marc Rotenberg, President of the Electronic Privacy Information Center or EPIC as it prefers to be known.

On its website, EPIC pitches itself as:

a public interest research center in Washington, D.C. It was established in 1994 to focus public attention on emerging civil liberties issues and to protect privacy, the First Amendment, and constitutional values.

As you can imagine, EPIC is having a field day thanks to the antics of the US National Security Agency (NSA) and the PRISM scandal.

EPIC’s self-regarding position here seems largely to be one of ‘Well, we told you so’ - never an attractive look, but is there any merit to this stand?

In his article, Rotenberg reminds us that:

For many years, consumer privacy organizations urged Internet companies to adopt better practices to safeguard the personal information they collected. As data services expanded, we asked the companies to minimize collection when possible and to delete data when it was no longer necessary to keep.

When cloud services were first offered, we proposed routine encryption for stored user data. We recommended segregating credit files and cautioned against the consolidation of user profiles.

We urged the companies to support necessary updates to privacy laws that would lead to the adoption of new privacy-enhancing techniques.

But of course no-one listened and now look what’s gone and happened :

Companies were often reluctant to adopt these security measures, arguing cost, convenience and trade secrets. They said that self-regulation was adequate and no new laws were necessary.

Now we learn that vast amounts of user data have been unlawfully acquired by the NSA and that companies are scrambling to implement new security practices to protect against our own government agencies.

And so comes the ludicrous “rethink cloud computing” call.

Hate Mail

In the UK, we have a right wing daily newspaper called the Daily Mail - aka popularly as the Hate Mail - which specialises in pandering to those who yearn for a sepia-tinted 1950s world when things were nice and everyone was nice and it was all nice.

Of course this world never existed in the first place and the 1950s were far from pleasant for many people but that’s not the point. Nostalgia ain’t what it used to be.

A regular meme from the Mail though is the fetid, dark heart of evil of the internet.

Essentially, Facebook is bad, Google is wicked, the internet spawns paedophiles every hour, on the hour, pornography is forced on people every time they use a web browser and web companies encourage this depravity and fail to protect the innocent just to make money. I may have missed some of the more subtle messaging, but that's the drift of it.

Screen Shot 2013-11-08 at 10.04.18

All of this attracts attracts politicians after some 'tech cred', but also the ‘green ink letters’ brigade like flies to honey with regular calls to ‘shut down the internet, we got on perfectly well in the 1950s without one of them!'.

This is a sentiment that I suspect is at least in part the official Mail editorial stance  - ironic from a newspaper whose online version sadly overtook the New York Times as the world’s most widely read in 2012. (And I'm not linking to the web site - they're getting no extra traffic from me today!)

The thing is though that the Mail is written to pander to the prejudices of a section of its audience and to attract a wider audience though its cynical use of ‘hate bait’ articles that enrage and attract attention and comment - or in advertising terms, engagement.

It’s also seemingly written by people who don’t understand how the internet and the web actually work. They’d probably be calling for the cloud computing model to be rethought as well if they felt that enough of their readers would understand the term in the first place.

But I’d have expected something a little more sensible from a organisation like EPIC that might be assumed to be tech savvy?

Let's start from here

I’m not making any apologies for the NSA or its actions. They are, as Box’s Aaron Levie told me this week,  “incredibly bad and inappropriate” and clearly there are many, many questions to be answered and redemptive actions to be taken.

But there are far too many people using understandable outrage about the revelations to pursue their own political and societal agendas.

Belgium EU Germany WestLB Aid
Neelie Kroes

I’ve banged on and on about European Commissioner Neelie Kroes and her chums use of PRISM paranoia to push through draconian data protection rules, for example. (EPIC is of course right behind her in that particular endeavour!)

Rotenberg's suggestion is a totally unrealistic call. There’s an old (bad) joke about someone asking how to get to a certain place, to which the answer is ‘Well, I wouldn’t start from here’.

Trouble is, we are here and this is where we need to start from.

The cloud is mainstream. NSA happened.

One is good; one we can all surely agree is not good.

We can deal with reconciling the two events sensibly and rationally; or we can over-react hysterically.

Over at Gartner, research director Heidi Wachs is equally baffled by Rotenberg’s suggestion:

Rethink the cloud computing model? The horse has left the barn, the cat is out of the bag, take your pick of cliches but let’s be realistic.

If we’re going to address the privacy issues associated with cloud computing, then we need to start by accepting the current state of play and figure out how to enhance and strengthen it moving forward.

Even if we concede that no matter what security controls we put in place to try and protect privacy, the government will find a way around it, that doesn’t eliminate the need to protect legal, ethical, or moral business to business or business to consumer privacy concerns.

We can protect data privacy better through contracts with enhanced privacy protections, applying increased security controls, and increasing transparency with regards to data handling.

We need to have open, frank negotiations with cloud service providers to clearly establish where data is being stored, how it is being protected, who is accessing it, how it is being used for marketing purposes or resold to third parties, and how it is being destroyed.

The expectations for notification when data is inappropriately accessed or exposed also need to be set. All of these factors combined will lead to better data privacy in a cloud-centric world, rather than starting over from scratch.

This is of course as absolutely correct in every respect as Rotenberg’s suggestion is incorrect and absurd and just damned unhelpful.

Epic fail by Mr Rotenberg, EPIC fail all round!