Friday, June 21, 2013

The fallout

More NSALeaks - this time news that Skypr collaborated with the NSA to allow them to tap its user's phone calls. I guess that's their business down the drain. Meanwhile, in the Guardian, Ross Anderson points out that its not just governments and big corporations with valuable IP which need to be concerned about cloud-storage, but also doctors, lawyers, accountants and engineers:

[S]ome of our patients and clients surely will be [of interest to the NSA]. As well as being an academic, I also do occasional expert-witness work, mostly in computer forensics. A few years ago I had a defendant in a terrorism trial as a client. I cannot use a US webmail service if it will leak attorney-client conversations straight to the prosecution...

But you can't always tell in advance which cases might be sensitive. A client I recently helped to get acquitted of a rather dubious fraud charge turned out to be a refugee from a South Asian country whose secret police work closely with the Americans. This emerged only after I'd accepted instructions. So I'd better have a non-US service for all client work...

The third problem is that, even if a client is completely innocent of any wrongdoing, machine-learning algorithms can tar him with guilt by association. If a system just uses Bayesian probability, without paying attention to social context or legal rights, then it may well stigmatise any service that's had anything to do with terrorists in the past. The implications for NGOs like Liberty or law firms like Bindmans are clear. If we don't want to risk innocent clients ending up on no-fly lists and watch lists (or ending up on a list ourselves) then we shouldn't use communications that the NSA's search engines can devour.

He suggests using an EU cloud provider instead of a US one. But firstly, the providers aren't exactly transparent about where their servers actually are. And secondly, EU intelligence agencies can't exactly be trusted either (but then, at least EU citizens have democratic control over them, Supposedly).

The NSA have probably just destroyed cloud providers' entire business model. Their business depends fundamentally on trust - that they'll keep our data secure, and not hand it out to anyone but us. The NSA has destroyed that trust. The upshot? The cloud can not be used for anything but the most trivial data. Writing larps and storing lolcats on it is fine. Anything serious with privacy, professional or business implications is probably a no-no.