PRISM, the public cloud and privacy: What’s at risk?


Credit: Maksim Kabakou

Privacy means a great deal to me: I carefully guard what I make public about myself, and as a technologist, I am constantly on guard about the technology I use. I’ve been thinking a lot lately about the personal impact PRISM and its sister projects in the U.S. and elsewhere will have on me, my family, my friends and society in general in the U.S. and abroad.

In addition, because of what we do at my company, I’ve had many conversations with colleagues, customers and the broader public about the dangers we face as businesses with the abilities shown by governments – and let’s not kid ourselves, by bad-guy hackers.

Then I saw a story study from the Information Technology and Innovation Foundation that predicts that PRISM could cost U.S. cloud companies up to $35 billion. From the story:

“We keep hearing that the U.S. National Security Agency’s propensity for data collection will hurt American cloud companies. Now, one researcher has put a figure on those losses — $22 billion to $35 billion over the next three years. That’s according to The Informational Technology & Innovation Foundation.”

My first reaction, actually, was “good.” Not that I want the public cloud companies to lose money – quite the opposite. The technologies that the likes of DropBox and others have brought to market are wonderful – bringing low-cost productivity to personal and professional users. I say good because a pause in the headlong rush into the public cloud – especially by businesses – with all its inherent security, control and availability risks is a very good thing.

There has been an uproar in Europe over this – despite the somewhat muted reaction here in the US. If you are a European company with data stored in a public cloud, and that data resides on US servers, or servers anywhere for a US-based company, that data is subject to the Patriot Act. And, to make matters worse, you won’t even know that your data has been investigated. I’ve been asked to explore this very topic (Post PRISM panopticon: confidence in public cloud computing) at tomorrow’s GigaOM Structure: Europe in London.

Businesses need to face the problem of their data exposure. Principally every individual or organization has three choices:

  • Keep all your systems and data private under your own control
  • Build trust (relationships, legal, general) into an organization to host your systems and data
  • Build a hybrid strategy depending on the level of importance of systems and data or other decision criteria

However any solution you want to use to run the above should fulfill the following criteria:

  • Allows you or your employees and customers and partners to access data and files when they want and where they want
  • Gives you full control and auditability
  • Securely allows the exchange of data across people and other organizations
  • Allows you or any third party or interested person to control that no backdoors are built in (open source software is a great way to accomplish this)

Businesses should start by auditing the use of DropBox, Google Drive, Box, Accelion et al: vendors that force your data off site – either to store it, or to “cloud enable” it (remember, even if data is stored on premises, if it has to travel to off-site servers, there should be red flags). Then decide if your company can risk the exposure of that data. Many companies will decide that some, or even all, of their data can be exposed. Others will decide none can. I do believe most, however will create a hybrid model.

But I think the most important thing is that businesses just take a closer look at their data. That is the first step to taking back control.

Markus T. Rex is CEO of ownCloud.


JT Reynolds

I gave up on public cloud services like Dropbox, iCloud, Skydrive, etc., when I learned the law says we lose the expectation of privacy for anything stored online more than 180 days. That means the government doesn’t need a warrant to look at it. To make matters worse, I read the terms of use, and most say they will look at your files and share that information with others to help “improve their service,” which means find ways to make more money from it. And that could be by selling your information to the highest bidder. The last straw was when Dropbox said they keep backup copies FOREVER, even after I delete my files ad close my account. WHAT GOES UP NEVER COMES DOWN. I hate that. With the public cloud, there’s no undo button.

Sorry, but NO MORE. I quickly stashed all my stuff in a CloudLocker ( which works just the same (even better) but keeps everything in my house where I can see it – and unplug it and hide it away if I want to. I think these private cloud devices are the way of the future. Like Mr. Rex says, it’s “the first step to taking back control.”

BizSec Podcast

Beyond just the NSA’s reach into The Cloud, the recent news that they weakened encryption standards should be of concerns to businesses. It has potential ramifications for compliance, protecting intellectual property, as well as securing transactions. We don’t yet know to what extent the NSA has weakened cyptography standards, but may be an issue worth bringing up in your next technology steering committee meeting.

We talk more about this issue on the latest BizSec Podcast if you want to know two security industry veterans’ perspective, as well as what our business clients are saying and thinking.

Comments are closed.