NSA spying and what it means for you
NSA spying and what it means for you
In case you’ve been living under a rock and haven’t heard this week, the big Internet news at the moment is that the US government’s spying on internet usage is far beyond what many people expected (although less than many others did, one surmises).
The Guardian (UK) recently broke the news that an NSA program called PRISM had requested from US internet & phone provider Verizon virtually all their logs for all systems and was analysing this information, to search for threats to national security.
Whether or not this is amount of spying on private citizens is justified or not is the subject of much debate and is outside the scope of this article, generally speaking. Obviously, cases for and against are relatively easy to make, however, as is often the case, most people seem to be happy with the concept of watching communications between suspect people – just not the scope and not the fact that it probably includes their data.
So for users of cloud services, big and small, what does this mean for you?
One of the key concerns people have taken out of this is that the big cloud players have happily provided the US government with massive amounts of information about their users. Various media reports have indicated that the super massive players, such as Google, Apple and Facebook have all handed over such data.
Firstly, let’s understand that, where the US government passes a law and then turns up with a legally valid request, it’s not like these companies can then refuse to comply. However, just how readily they have complied is the real issue many people have taken.
Some of the companies involved, notably Google and Facebook, have very strongly and publicly denied involvement – or even knowledge – of such a system. Google’s Larry Page (CEO) is on the record strongly putting these claims to bed:
“…First, we have not joined any program that would give the U.S. government—or any other government—direct access to our servers. Indeed, the U.S. government does not have direct access or a “back door” to the information stored in our data centers. We had not heard of a program called PRISM until yesterday…”
Facebook and Yahoo have come forward with similar statements, as no doubt will Apple and the rest.
While it’s good to see these companies publicly stating support for their users, we also need to keep in mind that they do have to provide information the government of various countries they operate in request, within the laws and statutes of those countries.
So the question instead becomes one of how easy is it for your data to be made available (and of course, how much do you care).
What information is being collected?
Of course, this is hard to directly quantify however it’s likely it relates to information such as who people have been in contact with, via phone, email or other methods. Data is likely (but not certainly) limited to logs of connections, rather than actual packet contents, so for example, they may know you spoke to someone on the phone or by instant messenger – but not what the conversation was.
Why would they do this?
The answer is most likely counter-terrorism. If they know, for example, the details of the Boston Bombers, they may want logs of anyone who spoke to them on the phone that day.
What does this mean to us?
It’s easy to simply say “if you’re doing nothing wrong you have nothing to fear”, however we all know the story is more complex than that. Once your information has been taken out of your exclusive control, it remains outside of it and this means if the NSA is in turn hacked or someone there misuses it, business secrets can (and have in other cases) be leaked.
Okay, so if we know a little bit about what they’re doing, the question becomes, for the average cloud customer, is this a concern to my business and would my business be more secure if I wasn’t in the cloud?
The short answer is, no – in fact you may be less secure running your own shop (unless of course you know what you’re doing). If your cloud provider is genuinely looking after you as a customer and not just handing your data over to someone else, then they probably have a very good idea of how to keep it secure (and if they don’t – don’t use them).
The fact of the matter is that, once your data and your communications are on the net, they’re there for all to see (at least all how have the access and ability). If you’re running your own server in your office or you’re working off a rented VM on the other side of the world, your data still travels between your contacts in much the same fashion. So in short, you’re still susceptible in the same ways.
So what should we be doing about it?
At this stage, not a lot, really. We don’t know the full scope of the situation, how many other governments are involved (although it appears the UK was and if they were, Australia is sure to be following along, too). End users and system administrators should really be doing what they should always have been doing.
Data that should be protected needs to be encrypted and looked after. Key information shouldn’t be travelling over HTTP in plain text and emails shouldn’t contain the recipe for Coca Cola. Passwords need to be secure and, when you’re a cloud customers, you need to trust your provider. If you don’t have that – you don’t have anything to work on.