How Your Cloud Dream Is Becoming a Security Nightmare


After extracting a deal from Research In Motion (s rimm) that appears to give state authorities the ability to monitor messages sent over the company’s BlackBerry network — similar to a deal that RIM agreed to with the government of Saudi Arabia — the Indian government has suggested that it may go after both Google (s goog) and Skype in an attempt to get similar kinds of security concessions.

India’s threat means that this is no longer just about Research In Motion and its specific network or security controls; it’s about gaining widespread and potentially unlimited access to a whole range of cloud-based services. In other words, it means that our growing use of the “cloud” — whether it’s web-based email or web-based voice calls such as those recently launched by Google, or mobile email and data from companies such as Research In Motion — is colliding headlong with the demands of foreign governments to control those services and applications, or at least their demands to monitor them whenever they wish.

It’s not just India and Saudi Arabia making these kinds of moves either. Lebanon, Algeria, Indonesia and several other countries are said to be watching closely what’s been going on with RIM, with an eye towards pursuing similar deals with the company, and with other web and mobile service providers. There have also been unconfirmed reports that RIM has already handed over some form of monitoring ability to the federal authorities in both Russia and China, although it’s not clear what level of access those governments have received. If India goes after Google and Skype for access to its email, instant messaging or other communications, China and plenty of other countries are almost certain to demand the same kinds of access.

India has focused on targeting Skype because of the government’s belief that terrorists and other anti-government forces routinely use the VoIP service as a way of communicating without having their phones tapped — something that could also be a risk with the new voice services that Google has launched. According to reports from Bloomberg and other news sources, the government wants both Google and Skype to set up servers in that country that can be monitored by security agencies, or to provide a means for tracking voice and instant messaging data.

The U.S. government has the authority to subpoena content from the BlackBerry network, but it doesn’t have explicit decryption boxes running on RIM servers inside corporate premises, which is what it sounds like India and Saudi Arabia want: to be able to simply turn on their eavesdropping devices and collect whatever they wish. Will India or Saudi Arabia or China abide by the same rules as the U.S., and provide full legal justification for doing this if and when it happens? Perhaps. Or they might just conveniently forget about such niceties (although the U.S. sometimes goes outside the legal boundaries as well).

Either way, your data could be at risk. If you send messages over the BlackBerry network, use Skype to call overseas, or send email or use the new voice-calling options from Google, theoretically what you say could be monitored by a foreign government, if India gets its way. There’s no reason to believe that these efforts are going to stop with India, or with just RIM or Skype or even Google; Amazon (s amzn), Facebook and others could be the next to face such government demands for access to their servers and the information stored there. Living our lives in the cloud is appealing in many ways, but how much freedom do we have to give up in order to do so?

Related content from GigaOM Pro (sub req’d): As Cloud Computing Goes International, Whose Laws Matter?

Post and thumbnail photos courtesy of Flickr users AndyRob and Chrissy575



What are they gonna want next, the encryption keys for all VPN tunnels? This just opens up the floodgates of silliness.


People had freedom to choice whether accept it or not. If they disagree still there will go to the old fashion way.


This problem was solved in the 1990s with public key encryption. But the solution is too much of a pain in the ass, and people are too disorganized to be able to hang on to their private key in a secure manner.

Still, though. Most people in business and government depend on a third-party security system to protect their emails from eavesdropping, instead of using client-side encryption. This is silly.

The best encryption would be to PGP all your email and run your own IMAP server with an SSL tunnel.


We have to face up to the fact that governments have the power here. We can take reasonable steps such as encrypting our stuff, but a determined government can read your mail. Period.

Don’t use the web if you are afraid of government.

Having said that, most of us are not afraid of government. We are much more concerned about corporates and individuals – sometimes crooks – getting our private info. And for that we can achieve reasonable protection.

There is a whole new awareness of these topics brewing. I;ve blogged about it.


Does this make it worth keeping your mail on Exchange accounts hosted with independent players, or are we pretty much screwed no matter where we host our mail?

Comments are closed.