Invasive U.S. surveillance programs, either illegal like the NSA’s wiretapping of AT&T phone lines or legal as authorized by the PATRIOT Act, are causing foreign companies to think twice about putting their data in U.S. cloud systems.
I think these are legitimate concerns. I don’t trust the U.S. government, law or no law, not to spy on my data if it thought it was a good idea. The more interesting question is: which government should I trust instead?
David • December 6, 2011 2:01 PM
How about none?
Why would you put anything in the cloud you hadn’t encrypted first?
Grahame • December 6, 2011 2:03 PM
From an Australian perspective: It’s not so much a question of which government I can trust, as that my government tells me I’m not allowed to trust any other one.
Also, a Microsoft submission to the Australian government on this subject claimed that storing data in Australia wouldn’t exempt it from US government access anyway: http://www.theaustralian.com.au/news/nation/microsoft-attacks-the-gillard-governments-plan-to-store-e-health-records-in-australia/story-e6frg6nf-1226205148994
haiku • December 6, 2011 2:04 PM
I would have to be convinced that there exists a government that one can trust …
Matthias • December 6, 2011 2:07 PM
If you want to know what happens with your data, don’t let them out of your sight / hard disk / data center.
Ultimately, data parked on somebody else’s server is not safe from third parties. Nothing new here.
Matthias • December 6, 2011 2:08 PM
@David: The idea of cloud computing is that you do something with your data besides storing them. You can’t do that if they’re encrypted.
Timmy303 • December 6, 2011 2:09 PM
Trust private enterprise instead of governments!
No seriously when they say that when their “products are deployed, data gathering is done in a way where the end user is informed or involved”, they mean it!
Hahaha I couldn’t resist a dig at CIQ, I’ll shut up now.
Simon • December 6, 2011 2:10 PM
@David The cloud is not just storing data. In this instance it incorporates SaaS.
I’m based in Canada and the US location of a supplier’s recovery site was a factor in evaluating various hosted business packages.
Foreigner • December 6, 2011 2:17 PM
I say: Trust the rogue countries (like Iceland), and to a lesser extent, non-working countries (like Russia, Brazil, Ukraine…)
That’s what many innovators (like torrent sites) are doing…
Andrew Sands • December 6, 2011 2:21 PM
US Cloud (especially SAAS) providers should probably implement data storage / encryption options where the private keys that allow the data to be decrypted are held by their customers, rather than by the cloud provider. That way even if the US government issues a silent subpoena to the cloud provider under the Patriot Act, it won’t do them much good, they’ll still need to break the crypto to get at the data.
Bill • December 6, 2011 2:22 PM
I’m currently in the middle of looking at cloud solutions (In Australia) but I have to cross many out because they aren’t in Australia or they can’t guarantee the data will remain in Australia and we have to remain compliant regarding transnational data flows. Although, I do understand why the laws are there, once it leaves the jurisdiction any one with the right piece of paper, law, court interpretation of law or even legal advice (if LE) can get to it.
In regards to Australian e-Health records and Microsoft statements (mentioned by Grahame) I’ve seen how foreign countries request data, it’s still a significant legal barrier. They have to go through the local government and follow their processes and procedures for cooperation (assuming they even have them of course). Also, “world’s best practice security and privacy systems” mean nothing when the law compels you.
Regarding the US, when even a small scuba diving business can be served in with a National Security Letter compelling them to hand over information it’s ludicrous to think that companies who have restrictions on transnational dataflow would not be targets, especially since such companies often have services which could possibly be relevant to a terrorism investigation (Eg: Finance).
byF • December 6, 2011 2:37 PM
I guess Iceland could be a choice. Something like a Switzerland for data.
Anthony Papillion • December 6, 2011 2:51 PM
I agree with Foreigner: find a country where the government is unstable or is too busy worrying about more important things than being the lap dog to the United States. Generally, the more unstable the government, the better privacy you have. Alternately, finding a country that’s hostile to the US government would work to. They wouldn’t hand stuff over just because not doing so would piss the government off.
the problem with public keys not held by the hosting company is that US legislation is in the works that will mandate that even the makers of the encryption tools install a back door for the feds to use when they so choose.
Winston Smith • December 6, 2011 2:59 PM
Anyone know of any hosting providers outside of the U.S. that claim to be immune to the clutches of things like the PATRIOT Act?
Mr. Singh • December 6, 2011 3:15 PM
@-b Hmm, so if such legislation is passed, then encryption tool makers would need to install back doors. The idea of having your own key is the only way I know that you could be reasonably sure that your data is safe in the cloud. If this legislation you’re talking about is passed, that means that the only way to do it would be to use encryption tools made before the legislation goes into effect? Not a great solution, perhaps. It works to use, say, Truecrypted files on dropbox, but I guess not for eCRM’s like Blackbaud, Convio, etc.
Jan Rooth • December 6, 2011 3:15 PM
Locating your cloud computing offshore doesn’t do anything to guard against NSA wiretapping – they’re even less constrained outside the US.
Daniel • December 6, 2011 3:17 PM
People give someone else access to their data and then act surprised when they use that data for their own purposes and not for your benefit. Do you really think you are paying company XYZ enough to suffer the rubber hose for you. Don’t be stupid.
Prohias • December 6, 2011 3:39 PM
Pakistan. They are a fine mushroom cloud provider.
LeeHamm • December 6, 2011 3:40 PM
Maybe Wikileaks could get into the cloud storage business? They have some experience in the data protection business and they could use the income, I assume.
xyz • December 6, 2011 3:48 PM
SMOM (Sovereign Military Order of Malta) or the Principality of Sealand would probably not work. Not sure if those proposed by the Seasteading Institute would be any better.
Perhaps Nauru, Tonga, or some other very small country would be good, albeit this would be a bit of “security through obscurity”. Better if the country had some heavy ideological issues with USAs requests.
Or perhaps India, for a person who is willing to bribe government officials to support himself.
Bastian • December 6, 2011 3:58 PM
The only way to save Data in the cloud is if you do client-side encryption… wuala posted a interesting article on their blog
http://www.wuala.com/blog/2011/12/patriot-act-and-cloud-storage.html
Bob T • December 6, 2011 4:09 PM
“Cloud” is an over used term so the provider can wow the business managers at your company. The data is stored on somebody’s server just like it always was if you contracted that out. If you didn’t because you want it to remain in your possession, one shouldn’t be enthralled by the word cloud. Cloud computing is the software and processes by which you work with your data (that is stored on someone’s server).
If the people who provided the “cloud” service came to your company and said, “Well, our software solution requires that you put your data on our servers so we don’t have to shoehorn our software for everyone else’s environment, and provide them with technical support” the business managers would yawn and call someone else.
tde • December 6, 2011 4:18 PM
Even if there were a government somewhere outside of the US that you trusted absolutely, it really wouldn’t matter since the US govt vacuums up internet traffic off the internet’s spine so they’d get it as you sent it there or retrieved it.
Doug • December 6, 2011 4:55 PM
Which government should you trust instead?
Why, Kinakuta, of course!
Anonymous 1 • December 6, 2011 5:26 PM
The obvious answer as others have pointed out is no government though if you did have to use the cloud for something it’d probably be better off to trust a government you can actually influence somewhat (which would mean the country you’re in, many of those companies are probably more worried about US industrial espionage than hiding evidence of criminal wrongdoing).
Grahame:
Also, a Microsoft submission to the Australian government on this subject claimed that storing data in Australia wouldn’t exempt it from US government access anyway:
Maybe the US government would get Microsoft to hand over some data once without a warrant from an Australian court, but some jail time for M$ employees should be enough to make sure it doesn’t happen again.
Though I’d be surprised if the NSA doesn’t have backdoors in Windows (so in that case store it on Linux or OpenBSD systems, kept up to date of course).
Anthony Papillion:
I agree with Foreigner: find a country where the government is unstable or is too busy worrying about more important things than being the lap dog to the United States.
More important things like keeping US foreign aid money flowing or being able to sell products made in their sweatshops in the US.
Anthony Papillion:
Alternately, finding a country that’s hostile to the US government would work to. They wouldn’t hand stuff over just because not doing so would piss the government off.
Many of them would be even worse than the US.
Anthony Papillion:
the problem with public keys not held by the hosting company is that US legislation is in the works that will mandate that even the makers of the encryption tools install a back door for the feds to use when they so choose.
Somehow I can’t see the FSF being too pleased with that idea.
Besides, didn’t key escrow get killed (deservedly) decades ago?
Jan Rooth:
Locating your cloud computing offshore doesn’t do anything to guard against NSA wiretapping – they’re even less constrained outside the US.
Good point, though encrypting the communications can help there so they’d need to do more than just wiretapping to do more than mere traffic analysis (not that it’s insignificant).
xyz:
SMOM (Sovereign Military Order of Malta) or the Principality of Sealand would probably not work.
Sealand did actually try that for a bit (look up HavenCo) and are the closest any new state not based on historical ethnicity has come to being sovereign but even then there are doubts.
The Sovereign Military Order of Malta very likely is not a state (I’d be surprised if they met the requirements of the Montevideo convention).
If your cloud computing is covering up for crimes by priests than the Catholic Church might let you use their dictator created bantustan in Italy to host it.
xyz:
Not sure if those proposed by the Seasteading Institute would be any better.
They currently suffer from the little issue of not actually existing (though there may end up being seasteads willing to take the rubberhose for you).
xyz:
Perhaps Nauru, Tonga, or some other very small country would be good, albeit this would be a bit of “security through obscurity”. Better if the country had some heavy ideological issues with USAs requests.
Now we’re getting somewhere, the traditional tax havens are probably the best place to go if you don’t want any government using subpoenas to get your data. They have a proven record of not giving information out about finance so…
tde:
Even if there were a government somewhere outside of the US that you trusted absolutely, it really wouldn’t matter since the US govt vacuums up internet traffic off the internet’s spine so they’d get it as you sent it there or retrieved it.
Keep the connection between the cloud server and any client computers encrypted and all they’ll be able to do is traffic analysis.
The biggest threat really is that the US government can make any provider based in the US cooperate with them, whereas if they store the data outside the US then for the US government to get it they either have to break in or they have to get the other government to force the issue.
Woofle • December 6, 2011 5:43 PM
@ David
“Why would you put anything in the cloud you hadn’t encrypted first?”
@ Andrew Sands
“US Cloud (especially SAAS) providers should probably implement data storage / encryption options where the private keys that allow the data to be decrypted are held by their customers, rather than by the cloud provider.”
Then you have the problem that you have just allowed parties unknown unlimitied access to your secret. Therefore you no longer have a secret.
[sarcasm]
Personally I keep my confidential info on a computer that is
* not networked
* always off
* in a safe
* encased in concrete
* at the bottom of the ocean
[/sarcasm]
[rant]
“Cloud computing” is just a way to sell SAAS. After all, who would rent something forever when they can buy it once (well, ignoring the eternal upgrade cycle…). User/customer security is not a consideration.
[/rant]
Spaceman Spiff • December 6, 2011 6:49 PM
Nothing stored in the cloud should be unencrypted before transmission to the cloud. Even if control over the servers should be devolved to non-governmental entities, that does not keep such from intercepting the data stream. Only when we are using ubiquitous, and strong, encryption, will we have any hope of keeping our private matters private.
bcs • December 6, 2011 7:07 PM
Don’t trust any of them. Use a secret sharing system to split it across several international clouds and decode it in the browser. OTOH that more or less kills any kind of server side processing and any social features (unless you don’t care jack for privacy).
Doug Ransom • December 6, 2011 7:30 PM
I think it has been the case for years, especially in the financial services industry in Canada. I beleive it is impossible to meet privacy laws in Canada if any client data is hosted in the US.
Cloud providers such as google have also been known to inspect your private data (ie with image recognition software) so you also have to trust your cloud provider not to be evil.
Carl G • December 6, 2011 7:40 PM
Although there are obvious technical solutions (data splitting, various crypto techniques and so on), the issue from a non-US-based consumer’s perspective comes down to trustworthiness. To be honest, the US doesn’t have a particularly good reputation internationally with respect to abiding by the spirit of the law (including laws of its own manufacture); the sometimes interesting interpretions of law that US government agencies (law enforcement, intelligence, and others) have acted has definitely eroded global trust perception and this is an aura effect of such incidents and behaviours.
Having a law that brushes up close to legimate concerns around information confidentiality also seems to highlight the concern by giving a name to the threat; if there had been no law such as the Patriot Act to focus attention, the concerns might not have been so vocal (I acknowledge this is largely a speculative “what might have been” scenario though).
Also, the non-US world has seen diverse legalistic grey areas encroached upon in other domains (Guantanamo anybody as an example?).
Funnily enough, some of the potential anti-US-hosted-cloud-provider people I have worked with are quite happy to host in what are probably even less practically safe countries, especially when Executive perceptions of the US state of affairs are taken into account.
Nick P • December 6, 2011 8:09 PM
There are numerous countries with strong privacy laws that at least limit potential damage. Hong Kong and Panama are two places where a private cloud could be set up. Any of the impoverished or corrupt countries can work so long as the people in power are paid up properly or at least depend on the thing themselves. An expample of that is Nigerian 419 and 901 scams.
NobodySpecial • December 6, 2011 9:36 PM
So you don’t trust the US not to take a look at your commercial secrets but you think China is a safe alternative ????
At least with the US government you know they will be too incompetent to take advantage of the knowledge
Jon • December 6, 2011 9:41 PM
Silly suggestion:
1) Encrypt a lot of random data and submit it to the cloud along with your encrypted real data.
2) Keep a list (on paper?) of hashes of the encrypted real data.
3) Whenever you submit or retrieve data, always submit and retrieve many similarly-sized files of random (encrypterd) garbage as well as the file you want.
4) After retrieving all the files, filter by hash, and decrypt the one you actually care about.
5) Profit… Or something. It’s
5a) impractical, and would drive up your cloud charges by quite a bit
5b) could get you in very serious trouble when certain authorities (e.g. the UK) insist you give them the decryption key to data that doesn’t have one (they’ve found a random data file, and insist you decrypt it. Well-encrypted data is indistinguishable from random. Yes, they can jail you for not having something that doesn’t exist.)
5c) based on chance, to a certain degree. The cops could find and decrypt the correct file, either by trying all of them or by luck.
Meanwhile, it gives the spooks something to do.
J.
Mark • December 6, 2011 9:58 PM
I don’t trust the cloud for much more than Gmail. But I admit that may just be a matter of complacency. For accessing data on my computer on the go, I wouldn’t use the “cloud” for anything that could possibly come back to bite me in the ass, including music. Instead I use my personal vpn with self signed keys. I don’t need a CA that’s just as vulnerable to govt pressure as Google to tell my if my own key is good. Hopefully that’s enough to keep the man in the middle boxes that I’ve been hearing about lately out.
ireallydon'tknowcloudsatall • December 7, 2011 12:58 AM
Foreigners are wise. Would that there were a Patriot Act Free Zone here in America. ‘
Ironically, the alphabet folks in the US have no reason to trust each other either with all the kooky data being generated. Look at how NSA gets corrupt data from the FBIs domestic terror program. Or the suspicious this and thats from DHS that turn out to be fear and ignorance. Private companies are no better, most of the domestic spying work is contracted out to the private sector in the US whether its FBI, NSA, or DHS.
Troy • December 7, 2011 1:05 AM
I think the reality is if the US government want your data they will get it. Personally, I don’t have too much faith that the Australian govt would ignore a request for data from the US..
SaB • December 7, 2011 1:12 AM
Wuala claims to be immune to the Patriot Act with client-side encryption and EU-based servers (http://www.wuala.com/blog/2011/12/patriot-act-and-cloud-storage.html) – any thoughts on those claims?
RobertT • December 7, 2011 1:43 AM
There seems to be some confusion here about “Cloud Storage” VS “Cloud Computing”.
In my mind the major difference is in whether you expect the Cloud to provide any data processing services, such as : Engineering simulation, Database SQL…
Encrypting the Data works great if your only requirement is remote data storage, or data sharing (such as medical data records) but it is very difficult to do any data processing on encrypted data. To allow the processing of encrypted data the encryption system must be Homomorphic.
If you have a good homomorphic encryption system than I’d respectively suggest you discontinue your other businesses and sell encryption software.
Anne Onymous • December 7, 2011 4:51 AM
As others have said: Iceland
Johan Louwers • December 7, 2011 5:09 AM
This is a quite interesting issue. However it also raises a second question. If a US company wins a contract with a government(none US) and the tender states that you cannot host it within the US however is has to be within the boundaries of the EU will the data be secure in a EU data-center or is it still falling under the patriot act and is the data still not safe?
If it means it still falls under the patriot act if the contract is carried out by a US company even if the data is physically within the EU it would mean that EU governments should only work with none US companies to be compliant with the EU data protection act.
Correct? What is your view on this?
Jan Willem de Vries • December 7, 2011 5:39 AM
@JohanLouwers: Yes, you’re right. A US based company is obliged to deliver data, based on a request under the PA; even worser: the company is even not allowed to notify the customer or (the governement of) the country to which it refers.
Consequences are that your data are already in the US, before you even notice. And under the PA the US are not obliged (allowed?) to tell why they need the data. Officially it is a counter terrorism activity, but maybe it is just a normal economic espionage act!
Clive Robinson • December 7, 2011 6:28 AM
@ Bruce,
“The more interesting question is: which government should I trust instead”
On the assumption you were not being flippant / rhetorical… only if you are interested in political discussion, if not then you are asking the wrong question.
From the point of view of providing a solution, you should be asking,
‘Given the current infrastructures available to me, how do I use them such that I don’t have to trust either the infrastructure operators or those who might have undue accesss to the infrastructures or influance over the operators?”
Asking it that way gives you the basis of a plan of action on which to work, not an open ended political debate best held on the porch with a beer in your hand when the sporting talk has run it’s course.
@ All,
However there are more fundemental questions that need to be looked at than “who might get access to my/our data”, such as how do I ensure I continue to get access to my/our data (under all foreseable survivable eventualities).
One thing that is quite clear, is that the majority of those leaping into the cloud for data storage are most certainly not asking the right questions and appear to be doing it for no other reason than “very shorterm managment thinking”. Which is often based on a faux assumption of cost saving or as more often (mistakenly) said “Because it’s more efficient”…
This is dangerous thinking, just as dangerous and along the same lines of “If I place another bet I can wipe out my current loses” the faux assumption here being (against more rational thinking) that you are actualy going to win this time…
Also in most cases people leaping into the Cloud don’t have sufficient information as to who owns / provides what and who carries the actual risk and why, or even who actually owns the data stored.
One aspect of this is being called by some cynical people “cloud data offseting” that is I sell you a cloud storage service but in actuality I own no infrastructure and in effect carry no risk (other than bankruptcy).
Unbeknown to my clients I just subcontract the work to which ever infrastructure provider gives me what I perceive is the “best deal” and it could just be “Amazon” or other well known organisation as the backend and I front it by renting a server or two through the likes of say “RackSpace”. My only effective “value added” if any being the choice of software and the entries in the configuration files on those rented servers…
Which whilst it may not be illegal, and of no issue whilst things are working, what happens when things go wrong either technicaly or if the business fails and the bills to the infrastructure providers goes unpaid?
The further these Cloud providers are away from you the more things are likely to go wrong technicaly and contractualy and the less your opportunity of seaking redress or even getting your data back…
In the worst case your private data may fall into the hands of a receiver or other debt recovery agent, who will sell it for whatever they can get, irespective of what contractual arrangements you thought you had put in place (and yes this has happened before in similar circumstances)…
Therefore two obvious things arise,
1, You have to make your private data of no worth to others.
2, You have to make the access to your data highly fault tolerant.
The first implies some form of client side data encryption the second the use of high assurance / availability techniques at all levels technical, contractual and providers (which kind of blows most expected cost savings out of the water).
That is you need to store your data with three or more providers (think RAID on NAS/SAN as to the why and the how) and if you are sensible the data “stripes” are stored using a threshold scheme to reduce / prevent collusion / compulsion.
With a little further thought as an international organisation you can even beat the UK RIPA and those less than humourous people with cold wet blankets and rubber hose pipes providing their drivers are rational (the way my luck runs I’d probably get the ones who just get job satisfaction or feel the need of the exercise…)
Alan Kaminsky • December 7, 2011 7:10 AM
@Matthias: “The idea of cloud computing is that you do something with your data besides storing them. You can’t do that if they’re encrypted.”
@RobertT: “. . . it is very difficult to do any data processing on encrypted data. To allow the processing of encrypted data the encryption system must be Homomorphic.”
Matthias, a cloud server can do arbitrary computations on encrypted data, yielding the encrypted result, so that the server does not discover the actual input or output of the computation. But as RobertT points out, you can’t use an everyday block cipher like AES, you have to use homomorphic encryption.
RobertT, I disagree that homomorphic encryption is “very difficult.” No one knew how to do this at all until a breakthrough discovery by Gentry in 2009. This turned homomorphic encryption into a hot research topic, a lot of work has been done in the past two years, practical homomorphic encryption schemes have been published, and further improvements are sure to follow.
The present situation with homomorphic encryption is very much like the situation with public key encryption in 1978. No one knew how to do practical public key encryption until Rivest, Shamir, and Adleman published RSA. Other public key encryption schemes were also published around that same time. Now, no one thinks twice about public key encryption; it’s simple, practical, and widespread. Homomorphic encryption isn’t quite there yet. Wait a year or two.
Whether cloud providers will actually deploy services to do computation on homomorphically-encrypted data is a different question. The answer will depend on political and economic considerations, not technical feasibility.
RobertT • December 7, 2011 9:13 AM
@Alan Kaminsky
“I disagree that homomorphic encryption is “very difficult.” No one knew how to do this at all until a breakthrough discovery by Gentry in 2009″
Sorry I should have said it is practically impossible to do any computations on data encrypted using typical block cyphers. (DES, AES, Idea….)
As for trusting my personal data to the security of available Homomorphic encryption systems, frankly I’ll pass on that opportunity, although I agree that tremendous advancements are being made in this area.
Frankly I’m excited about the uses of Homomorphic encryption which is why I said that anyone with a good algorithm, is sitting on a gold mine, so they should drop everything else and focus their business on just this.
My own interest in this topic is really limited to the possible uses in secure data routing over, self configuring multihop mesh networks, so I’m not overly concerned with absolute data security for X years…
Paeniteo • December 7, 2011 9:43 AM
@Johan Louwers: “it means it still falls under the patriot act if the contract is carried out by a US company even if the data is physically within the EU”
Yes, take Google for example:
http://www.h-online.com/security/news/item/Google-also-passes-on-European-data-to-US-authorities-1319434.html
NobodySpecial • December 7, 2011 9:47 AM
@JohanLouwers: This came up with the UK national census – when the data processing contract was given to a US company.
There are very strict laws on the secrecy of census data in addition to all the Eu laws on data protection. Yet the US company would be required to hand over the data under the patriot act and say that it hadn’t.
IIRC it all came down to the UK government saying – you can trust us and the US govt not to do anything bad.
So you should assume that your UK census data is on a disk in langley already.
Tim Banks • December 7, 2011 9:58 AM
Trust nobody. Build your own cloud.
Matthias • December 7, 2011 11:08 AM
@Alan Kaminsky: Sure, you can add or multiply two (encrypted) numbers under homomorphic encryption. Given the size explosion your data suffers when you use such a scheme, this is not very practical.
Data processing is more than add-and-multiply, however. You also might want to compare two numbers. My program would want to know whether 2*2 equals 4, or it might want to generate a list of customers who have spent more than $1000 last year in my web shop, or whatever. Those operations aren’t possible today.
True, somebody might discover a way how to do that. But then again, they might not. I’m unlikely to be able to hold my breath that long.
Homomorphic encryption is an interesting idea, but it’s not even theoretically useful for most real-world uses, let alone practically. I’d therefore suggest that it’s off-topic WRT this discussion.
Paul • December 7, 2011 11:57 AM
My data, my storage, offline. Separate from anything I want to make public. Not always easy, but effective.
David Harmon • December 7, 2011 8:41 PM
One option here is simply to accept a certain amount of partitioning along national lines. Of course, this would include a hefty hit on international contracts! That might actually yield a commercial kickback against Patriot and similar schemes. Or the US gov’t might just declare that doing business in uncooperative countries is “unpatriotic” if not illegal… certainly, they’ve shown little hesitation so far to simply destroy what they can’t control.
The international provisions of Patriot assume that the US can bully other countries into compliance. These days, that assumption may no longer hold, and that’s going to have far-reaching effects.
A blog reader • December 8, 2011 1:19 AM
…Timbuktu?
More seriously, from what one understands, certain other nations (including industrialized ones) such as nations within the European Union may well put more emphasis on protecting personal data than the US does, in addition to possibly having less “homeland security over privacy” type politics. (The source for the following does not come to mind right now, but it might be that the US puts more sanctity on physical property and less on data privacy; places overseas might do the opposite or do things differently. Even in the mid 1990s, the issue of sensitive information being processed by prison labor was not unknown.) As issues of foreign jurisdiction go, the case of the Operation Clambake (Xenu.net) site may be of interest, though the case was likely more about making information available as opposed to keeping information private. The Operation Clambake site currently operates out of Norway, according to its Wikipedia entry.
Dirk Praet • December 8, 2011 8:58 AM
As with all other new IT technologies, hypes and buzzwords of the past, cloud computing is not different when it comes to security. It’s just another fine example of the next big thing security will be boulted up on instead of making it secure by design and from the ground up before taking it to market.
As to public clouds, they kinda come with the additional inconvenience that your data can be scrutinised by government agencies upon request to provider without you even knowing something is going on. I find that pretty much uncomfortable to the point that I wouldn’t consider any cloud solution secure as long as both data and data traffic are not appropriately encrypted. No matter what country they’re in.
I think the people who understand what grid computing is and needs to contain to prevent/keep up with vunerabilities, should be the primary engineers behind ‘the cloud’. There’s a lot of angst and anxiety about being in the cloud, worried executives and such, who are demanding a presence but probably really don’t understand it themselves and neither do their internal IT folks ( generally speaking, because they’re playing ‘catch up’ themselves ). Whereas the old dawgz of the gridz-iddly probably have a better grasp. I’m talking about private interests btw, not the gov’s.
Most governments, historically, don’t care about your privacy. Don’t take it so personally. You notice, maybe even consciously design to watch, what your neighbors doing out there in their yard. You’re spying on them. You seem them moving around in their houses at night if their blinds aren’t drawn. You’re spying you curious little cat. At that moment you may not have an internal moral debate going on with yourself.
Up the ante a little: you see your neighbor carrying around a bunch of potassium chloride. Hmm…you may watch him or her hardner now, huh?
I’m not supporting personal liberty being eroded btw. Not at all. But don’t you think it’s a very complex topic of who determines the ‘balance’ between privacy rights and public safety concerns or outright espionage?
Please pardon my spelling errors.
hacktheplanet1999 • December 9, 2011 5:19 PM
Stallman was right all along.. cloud computing is the enemy of freedom everywhere and basically a huge scam.
I attend an angel investing forum locally in my city, and everything that’s been presented lately is some BS cloud invention. Corporations absolutely love the cloud, because it means they control all your data and access. They now control what you can see, what you can do, and then make bank from licensing fees.
Microsoft desperately wants to abandon the entire PC business and simply sell everybody dumb terminals that will connect to their cloud where they can monitor everything you do to crack down on piracy, and sell your information to advertisers. Bandwidth isn’t there yet but soon it will be.
Prepare for 2030, year that all stand alone computers and devices become illegal and cloud monitored access through a US corporation the only way you’ll be able to get online unless you’re a criminal and can A-team build your own 386 box and install tinfoil hat linux.
Richard M Stallman • December 10, 2011 11:28 AM
One comment says that merely storing your data in someone else’s server is not “cloud computing”. Meanwhile, Apple introduced a service called iCloud for storing your data in someone else’s server.
This disagreement illustrates the meaninglessness of the term “cloud computing”. It is used for so many different scenarios that it really conveys no meaning at all — except, perhaps, a careless attitude towards important distinctions. I’ve decided to reject the term and never use it.
Clive Robinson • December 11, 2011 3:02 AM
@ Richard M Stallman,
This disagreement illustrates the meaninglessness of the term “cloud computing”. … I’ve decided decided to reject the term and never use it
Whilst I would agree that in practical and technical terms “cloud computing” is effectivly so nebulous as to be devoid of measurable meaning it is a “term in common use”.
And as with many things to do with human perception “they do not exist without a name, and although the name brings them into existance, they are not the name” a point that was not lost on the logician Charles Lutwidge Dodgson (AKA Lewis Carroll) in his poem “The White Knights Song” and other well known works.
The term is out there and others ascribe to it the meanings they might wish, but it’s existance as a term no matter how devoid of meaning it might be to you or I cannot be denied.
In this respect it is like many other terms such as “knowledge” or “engineer”, it is either or both, to broad in scope, or effectivly self referential.
The solution to this very human perception problem has always been to break it up in some way by methods such as catagorise the scope or impose a hierarchy or both. Thus you get “mechanical engineer” and “design engineer”, that begat “mechanical design engineer” etc often prefixing the more quatifiable description of “specialising in…”.
In many respects this is a social norm to prevent alienation of others who would have little or no concept of what a particular highly specialised field of endevor is by it’s name alone.
George Orwell whilst working in a book shop at the botom of Pond St Hampsted London during World War II realised into his writings that this social norm was important as it could be, by witholding its use be used as a method of segregation and thus repression.
So by all means when talking to specialist in a particular field of endeavor withold using it, but remember the important use of it as a social norm when addressing a less specialised audiance, even if you just restrict yourself to why you are not going to use it further in the current address, discussion.
All of us have our own pet dislikes when it comes to terms, two of mine are the misappropriation of the term “hacker” and the more recent “China APT” and no doubt some people are smiling on reading this admission because of my past stamping of my (less than) little foot on the subjects 8)
Matthias • December 11, 2011 5:19 AM
@ Clive,
“cloud” and “hacker” do have some problems in common. To specilaists, they’re too nebulous without qualification. The general public associates strange and unwelcome things with them: more so when talking about hackers, but the “cloud computing” meme seems to be getting there.
In both cases, the solution of qualifying the concept only works among specialists. Fellow coders understand “Linux kernel hacker”. The general public, not so much, unless the context explicitly distinguishes between your word (“hacker”) and the word you use for the idea which the public usually associates with it (“cracker” or similar).
The Cloud idea however is too nebulous for that to work well, in my experience. And the public fears, i.e. that their data are “somewhere out there” and can be grabbed by whomever, aren’t exactly far-fetched.
NB: Improved spelling and less mixing-up of homonyms (“it’s” vs. “its”) would be appreciated.
Matthias • December 11, 2011 5:20 AM
public fears → public’s fears. Gaah.
Matthias • December 11, 2011 5:22 AM
And specilaists → specialists, of course.
Eat my own dogfood, I need to.
Clive Robinson • December 11, 2011 6:20 AM
@ Matthias,
NB: Improved spelling and less mixing-up of homonyms(“it’s” vs. “its”) would be appreciated
Yes I’ve a life long bad habit of that, the question is though “Can an old dog be taught new tricks”?
Speaking of “dog food” in the UK and I believe Germany as well one major supplier is “Pet Foods”, who just happen to be owned by the same company as “Mars” who make chocolate bars, so pick the type of “dog food” you would prefer
P.S. For all canine and other pet owners please don’t feed human chocolate to your pets, it’s poisonous to both them and you (theobromine). The difference being that whilst as little as 30gm of dark chocolate can kill your four legged friend, it takes around 10Kg in one go to kill a human.
BF Skinner • December 13, 2011 11:22 AM
FBI’s ALREADY wise to Carrier IQ.
FBI using Carrier IQ info for “law enforcement purposes,” refuses to release records.
Gosh. Who’d’ve thought that was possible?
Who DIDN’T see it coming?
indeed • December 13, 2011 6:52 PM
Carrier IQ is just the tip of the smart phone backdoor iceberg according to Asange. Remember the datalocking company? Prepaid 4096 encrypted blackberries who’s entire activity went straight to the FBI.
There is no civilian sold phone on earth that is secure from spying. Also recall the Chechen warlord who caught a cruise missile while using his supposed anonymous satellite phone. The UK police having easy access to round up rioters.. list goes on.
As for US clouds nobody should trust them. Even if you’re a democracy activist or journalist in China who’s to say Chinese agents won’t submit fake subpoenas via fax to get all your info. United States has never had decent privacy law
Subscribe to comments on this entry
Sidebar photo of Bruce Schneier by Joe MacInnis.
A.Nony.Mous • December 6, 2011 2:01 PM
None of them, of course.