PRISM, the public cloud and privacy: What’s at risk?

Lock, encryption, privacy, NSA

Privacy means a great deal to me: I carefully guard what I make public about myself, and as a technologist, I am constantly on guard about the technology I use. I’ve been thinking a lot lately about the personal impact PRISM and its sister projects in the U.S. and elsewhere will have on me, my family, my friends and society in general in the U.S. and abroad.

In addition, because of what we do at my company, I’ve had many conversations with colleagues, customers and the broader public about the dangers we face as businesses with the abilities shown by governments – and let’s not kid ourselves, by bad-guy hackers.

Then I saw a story study from the Information Technology and Innovation Foundation that predicts that PRISM could cost U.S. cloud companies up to $35 billion. From the story:

“We keep hearing that the U.S. National Security Agency’s propensity for data collection will hurt American cloud companies. Now, one researcher has put a figure on those losses — $22 billion to $35 billion over the next three years. That’s according to The Informational Technology & Innovation Foundation.”

My first reaction, actually, was “good.” Not that I want the public cloud companies to lose money – quite the opposite. The technologies that the likes of DropBox and others have brought to market are wonderful – bringing low-cost productivity to personal and professional users. I say good because a pause in the headlong rush into the public cloud – especially by businesses – with all its inherent security, control and availability risks is a very good thing.

There has been an uproar in Europe over this – despite the somewhat muted reaction here in the US. If you are a European company with data stored in a public cloud, and that data resides on US servers, or servers anywhere for a US-based company, that data is subject to the Patriot Act. And, to make matters worse, you won’t even know that your data has been investigated. I’ve been asked to explore this very topic (Post PRISM panopticon: confidence in public cloud computing) at tomorrow’s GigaOM Structure: Europe in London.

Businesses need to face the problem of their data exposure. Principally every individual or organization has three choices:

  • Keep all your systems and data private under your own control
  • Build trust (relationships, legal, general) into an organization to host your systems and data
  • Build a hybrid strategy depending on the level of importance of systems and data or other decision criteria

However any solution you want to use to run the above should fulfill the following criteria:

  • Allows you or your employees and customers and partners to access data and files when they want and where they want
  • Gives you full control and auditability
  • Securely allows the exchange of data across people and other organizations
  • Allows you or any third party or interested person to control that no backdoors are built in (open source software is a great way to accomplish this)

Businesses should start by auditing the use of DropBox, Google Drive, Box, Accelion et al: vendors that force your data off site – either to store it, or to “cloud enable” it (remember, even if data is stored on premises, if it has to travel to off-site servers, there should be red flags). Then decide if your company can risk the exposure of that data. Many companies will decide that some, or even all, of their data can be exposed. Others will decide none can. I do believe most, however will create a hybrid model.

But I think the most important thing is that businesses just take a closer look at their data. That is the first step to taking back control.

Markus T. Rex is CEO of ownCloud.


Comments have been disabled for this post