6 Comments

Summary:

The former NSA sysadmin said in a Guardian interview that cloud providers can earn users’ trust by building their services around encryption and being clear about “where they draw the lines.”

One of the clearest implications of NSA leaker Edward Snowden’s revelations has been that cloud computing is a big problem: By creating a centralized data repository, the model makes it easier for law enforcement and spies to access users’ data through programs such as PRISM.

Obviously that creates a massive trust issue. That said, Snowden doesn’t think cloud computing is doomed. In an interview with the Guardian published on Thursday, he said cloud providers could remain safe to use by being more encryption-friendly.

What you can trust and what you can’t

“What cloud companies need to pursue in order to be truly successful is what’s called a zero knowledge system, which means the service providers host and process content on behalf of customers but they don’t actually know what it is,” Snowden said. “That’s the only way they can prove to the customers that they can be trusted with their information.”

Snowden pointed to Spideroak as a good example, because they’ve “structured their system in such a way, you can store all of your information on it, but they literally have no access to the content of that information.”

“So while yeah, they could be compelled to turn it over, the law enforcement agencies still have to go to a judge and get a warrant to actually get your encryption key from you,” he said, contrasting this with Dropbox, a “wannabe PRISM partner” that put former U.S. Secretary of State Condoleezza Rice, “probably the most anti-privacy official you can imagine,” on its board of directors.

The former NSA systems administrator, who currently has temporary asylum in Russia, said he didn’t use Skype or Google for personal communications (though he has used them to appear on-screen at international conferences in the last year). “We shouldn’t trust them without verifying what their activities are, how they’re using our data, and deciding for ourselves whether it’s appropriate where they draw the lines,” he said.

Oversight issues

Snowden also said it was common for NSA analysts to pass around nude photos of people in sexually compromising positions, derived from those people’s internet usage, among themselves for ogling.

“Sooner or later this person’s whole life has been seen by all these other people. It’s never reported. Nobody ever knows about it because the auditing of these systems is incredibly weak,” he said, adding that this is “seen as sort of the fringe benefits of surveillance positions.”

The NSA has responded by saying the agency has “zero tolerance for willful violations of the agency’s authorities or professional standards,” but it didn’t actually deny that such passing-around takes place. It can’t, of course, if such incidents are never reported.

On a similar theme, Snowden said digital illiteracy among lawmakers was “probably the single most important factor that explains the failures in oversight that we’ve seen in almost every western government.”

“We need to think of it in terms of literacy because technology is a new system of communication, it’s a new set of symbols that people have to intuitively understand,” he said.

A very similar thought was expressed on Wednesday by web entrepreneur and British peer Martha Lane-Fox, when bemoaning the fact that others in the House of Lords were ill-equipped to examine a new U.K. surveillance law that was fast-tracked through the parliamentary process this week. “All pieces of legislation will soon have aspects of technology at their core and our ability to scrutinize effectively will rely on a deeper understanding than currently exists,” she said.

  1. zero-knowledge Friday, July 18, 2014

    Never trust an American Company!

    After all what has happened recently, I would never trust an American company. SpiderOak gives out no details about their crypto design, so they are not more secure than the others. Only marketing makes us believe they are.

    The only real secure alternative to Dropbox is a privately hosted, open-source file-storage system. I personally use arXshare since two month, and I am very happy with it. It is free for personal use and I host it on my SAN. More details are available at http://www.arxshare.com

    Reply Share
  2. Most American politicians love the Web. Another source for fundraising from us ordinary people.

    Without actually having to shake hands or be in the same room with us.

    Reply Share
  3. Dropbox was circumspect from the get go! If you care at all you just have to turn your back on cloud content management.

    Keep all local, its the only way to be sure. Its speaks volumes that all the tech might in this country neither can nor will do anything to mitigate government abuse.

    Reply Share
  4. He is a traitor. Who cares what he thinks?

    Reply Share
    1. He supports to Constitution. Do you?
      Who is the Patriot? Who is the Traitor?

      Reply Share
  5. George Kaplan Friday, July 18, 2014

    Use a private cloud server like CloudLocker and you won’t have to worry about anyone getting your files.

    Reply Share