Many years ago now, I worked as a Director of Information Systems for a very large company, but I (thankfully) left before managing cloudy days—working with online, cloud-based, data storage—became a job requirement.
I didn’t leave because of cloud-based technology. I’m not sure that it was even something we really thought about yet at the time of my exit. I left for a variety of reasons that mostly had to do with a growing distaste for managing technology, and technology people.
And though there may not yet have been clouds on the horizon, monitoring and control was certainly a big deal: tracking employees, and quite literally monitoring their every move. I’m sure those in control have always kept tabs on those they controlled, for as long as controllers and those they controlled have existed, if not longer. But tech was already bringing this to levels never before dreamed of.
In the end, it just seemed like it was time to unplug, at least a little.
So I decided for a number of reasons (mostly having to do with “convenience”; believe it or not, it was the easy way out) to go to law school. And technology continued on a path that was, as I said, already worrisome.
Fast forward more than a decade and tech is quite literally everywhere. When I went to law school, more than a few people were still writing briefs using typewriters, after having first written them out long-hand in some cases, and large numbers of us carried beepers, but not mobile telephones—I don’t remember calling the first ones “cell phones,” but maybe we did. Regardless, we didn’t carry much in the way of tech everywhere we went.
There was no Fitbit to track our every step. No smart phones that both contained, and could be mined in interesting ways for, more information about a particular individual (and those with whom they may have had contact) than you probably could find on “humanity” if you aggregated everything that had ever been written, or become fossilized, or you-name-it, before the invention of our ubiquitous tech.
I know for a fact that my current “phone” is more powerful than all the computing power available to NASA in the 1960s, when we used that tech to send men to the moon. And Riley v. California notwithstanding, all this tech these days sends an awful lot of men (and women) to prison.
The thing about this tech is that it seldom seems to work to save anyone from anything. In criminal cases, when the tech coulda, woulda, shoulda saved an innocent—or perhaps simply “overcharged”—person from a further decrementing of already debilitated constitutional rights via a term of probation, parole, or other court supervision, the tech nearly always fails. Bodycams somehow only record inculpatory, and not exculpatory, video. Similarly, other types of computer files that could deny the state its conviction either don’t exist, can’t be found, or have become (like too many law enforcement officers, prosecutors, and judges) corrupted.
Funny thing about tech. In truth, it just seems like it nearly always works to convict people, and seldom to set them free.
And now, of course, the big thing—at least in California—is that people who are on probation are being subjected to “electronic search conditions.” Sure, there’s the Valdivia case, which kinda sorta stands for the proposition that boilerplate electronic search conditions cannot be constitutionally imposed on probationers. But does the fact it stands for that mean probationers’ electronic devices are safe from search and seizure with or without a warrant?
Nope.
It just means that the trial court has to “narrowly tailor” the search conditions to “pass constitutional muster.” In the last case where I challenged electronic search conditions, the court was aware of Validivia. Fortunately, the DDA was not. Thus, I argued against only one prosecutor that day.
Unfortunately, it was the one in the black robe, up on the bench, and so the “narrow tailoring” that I achieved was that “only” information on the phone that might reveal evidence of a violation of a law—any law—could be searched. [1]Because, remember, all probationers, at least in California, have as one of their probation conditions that they “obey all laws,” and searching electronic devices can help probation officers to ensure this is happening. Here’s a little information on trying to fight electronic search conditions in California.
That’s some narrow tailoring there. I think we got an agreement that probation couldn’t look at his Angry Birds scores.
With all this going on, I have, for many years now, resisted the trend to embrace cloud technology. My electronic gadgets do not talk to the cloud (at least, so far as I can stop them). I use no cloud back-ups. I refuse to sign up for accounts to receive electronic discovery because I don’t want my systems connecting—however attenuated that connection might be—directly to a prosecution system. And although I am sometimes left with no choice but to temporarily upload a file to an encrypted file-sharing service when I want to share it with an investigator, or expert, because there’s no other way to transmit it across long distances, I do not store client files, or client information, in clouds. [2]Sadly, this also means that I currently have no practice management software, because it’s almost all gone cloud-based; that which hasn’t doesn’t run on my systems.
Why am I so paranoid about clouds? After all, there are many cloud-based services that allow for extra-super-duper-triple-and-quad-druper-whooper-with-cheese-style file encryption. These systems, representatives of these systems assure me, cannot be compromised even by the builders of the systems these representatives represent. Plus, don’t you know, Apple and all the other tech companies—well, okay, not all, and not any all the time—aren’t going to hand data over to the government willy-nilly. Not even with a willy-nilly subpoena.
Here’s the thing, though. Even those companies that currently claim to stand up to the government—for the moment, let’s take their word for it that they do—cannot be counted on to continue doing that, if doing that impacts their bottom line.
China and Russia, among other places ruled by strongmen and their political cronies, are demanding that technology companies locate all their data on national soil. The titans of American digital innovation – Apple, Google, Facebook, Amazon, Microsoft and others – face a difficult choice. They can risk moving the data of millions of customers to a police state, or they can refuse and risk losing millions of customers.
Which choice do you think Apple is taking this week? Well, yeah, I gave it away in the paragraph before the quote. So let’s try this question: Which choice to you think Apple would take if the United States passed laws that required them to cooperate, even to the extent that China does, or face significant penalties?
It’s not like it couldn’t happen here. I mean, hell, we have a strongman with political cronies. Our strongman would even rush into a school unarmed, one bone spur tied behind his back, to subdue a school shooter, and rescue a cat from a tree with his other hand!
But, back to reality….
If it happened here, tech companies might put up a fight. At first. After all, the United States is not yet China. We’re still barely even a Russian satellite country. [3]Sure, I understand our leaders don’t want to stop Russian infiltrating our voting apparatus, but that’s not because they want to benefit Russia directly; it’s because they believe Russia isn’t getting as much out of it as our current leadership is.
And, yes, I get that my client data isn’t completely safe in my own office, even behind firewalls, and even when stored on systems unconnected to the rest of the network, or in paper files inside a file cabinet.
But that doesn’t mean I’m going to hang it on a string outside my office window—or on a cloud at the end of an electronic wire—where anyone can go through it without me being aware that it’s been done.
Moreover, we already know that the police somewhat-routinely intercept cell phone communications these days. How do I know they don’t have something similar for intercepting files we’re depositing in the cloud? After all, encrypted storage doesn’t work unless the files are encrypted before they’re uploaded, right? Even if it’s encrypted before going over the intertubes, are you convinced the government cannot decrypt it?
Go ahead: call me paranoid. Just remember this key things about clouds: you can’t really see what’s going on inside them.
Footnotes
| ↑1 | Because, remember, all probationers, at least in California, have as one of their probation conditions that they “obey all laws,” and searching electronic devices can help probation officers to ensure this is happening. Here’s a little information on trying to fight electronic search conditions in California. |
|---|---|
| ↑2 | Sadly, this also means that I currently have no practice management software, because it’s almost all gone cloud-based; that which hasn’t doesn’t run on my systems. |
| ↑3 | Sure, I understand our leaders don’t want to stop Russian infiltrating our voting apparatus, but that’s not because they want to benefit Russia directly; it’s because they believe Russia isn’t getting as much out of it as our current leadership is. |
As a practicing MS CS – albeit not specializing specifically in InfoSec – I daresay that careful use of mature opensource software, such as GnuPG would bring the security risks of cloud-based storage of locally-encrypted information to the level associated with local(offline) storage. Of course, local storage of sensitive information should be encrypted as well. Personally, I would be more wary of non-opensource software (including OS itself) running on equipment (e.g. notebook) used to handle sensitive data. If running a completely opensource environment (probably Linux-based) is out of question, one should at least consider a VirtualBox installation of a Linux-based environment dedicated specifically to handling of sensitive information. VirtualBox can encrypt its images as well, so that can be used as an extra (not a replacement to GnuPG) security layer. Also, one should be aware that such seemingly innocuous services as grammarly.com do send the text to be checked to their own servers for processing.