SOCRATES. Do you really wish to know the truth of celestial matters?
STREPSIADES. Why, truly, if ‘tis possible.
SOCRATES. … and to converse with the clouds, who are our genii?
STREPSIADES. Without a doubt.
SOCRATES. Then be seated on this sacred couch.
STREPSIADES. I am seated.
SOCRATES. Now take this chaplet.
STREPSIADES. Why a chaplet? Alas! Socrates, would you sacrifice me, like Athamas?
SOCRATES. No, these are the rites of initiation.
STREPSIADES. And what is it I am to gain?
SOCRATES. You will become a thorough rattle-pate, a hardened old stager, the fine flour of the talkers…. But come, keep quiet. [1]Aristophanes (2012-11-01) The Clouds (Kindle Locations 249-262.) Kindle Edition.
For some time now — it seems like years, but can it really be that long? — I have been regaled with the wonders of cloud computing. The Clouds have become so important in our lives that it’s almost becoming impossible to work on a computer, or even a cell phone, without having to deal with them.
My way of dealing has been to take every new device I receive and search for a means of disabling its ability to talk to The Clouds.
I am motivated to do this because, for years before I was a criminal defense lawyer, I worked in technology. When I started law school, I was starting my eighth year working for North America’s then-third-largest yellow pages company as the Director of Information Systems. Prior to that, I had been intimately involved in helping to start two Internet Service Providers, rising to the level of Vice-President in charge of the Internet Division for the publicly-held company to which that division belonged.
Here’s what my time in those fields taught me: data that is accessible to others is data that is not safe.
In some cases, the threat comes from rogue techs, who, having the ability to access data, find accessing it irresistible. When there is nothing else to do — or perhaps even when there is — they will gladly spend their time slogging through your files, reading your email, perhaps perusing logs which will tell them where you’ve been and what you’ve been looking at. Within the confines of the companies for which I worked, I more than once discovered to my horror that I was forced to reprimand (or fire) someone after a customer’s private email message — too juicy to be kept private — “went viral” within the company.
At least, I hope it stayed within the company.
In other cases, the threats came from my bosses, who demanded that I monitor an employee’s email and Internet usage.
Regardless of the source of the intrusion, or the reason for it, the lesson is, as I noted above: data that is accessible to others is data that is not safe. “If it’s not private, it’s not protected.”
“But what about my password?” you ask.
I’m glad you asked.
The U.S. government has demanded that major Internet companies divulge users’ stored passwords, according to two industry sources familiar with these orders, which represent an escalation in surveillance techniques that has not previously been disclosed. [2]Declan McCullagh, “Feds tell Web firms to turn over user account passwords” (July 25, 2013) c|net, available at http://news.cnet.com/8301-13578_3-57595529-38/feds-tell-web-firms-to-turn-over-user-account-passwords/.
Will they comply?
According to the story, many companies denied that they would ever turn over passwords. On the other hand,
Apple, Facebook, AOL, Verizon, AT&T, Time Warner Cable, and Comcast did not respond to queries about whether they have received requests for users’ passwords and how they would respond to them.
But as John Naughton reminds us, there is something to be learned from the revelations that come to us thanks to one intrepid spy hater of America scourge of the Earth citizen of the United States who was unfortunately more familiar with the United States Constitution than was the government for which he worked.
They tell us, for example, that no US-based internet company can be trusted to protect our privacy or data. The fact is that Google, Facebook, Yahoo, Amazon, Apple and Microsoft are all integral components of the US cyber-surveillance system. Nothing, but nothing, that is stored in their “cloud” services can be guaranteed to be safe from surveillance or from illicit downloading by employees of the consultancies employed by the NSA. [3]John Naughton, “Edward Snowden’s not the story. The fate of the internet is” (July 27, 2013) The Guardian, available at http://m.guardiannews.com/technology/2013/jul/28/edward-snowden-death-of-internet.
Think Naughton is nuts?
[I]f you think that that sounds like the paranoid fantasising of a newspaper columnist, then consider what Neelie Kroes, vice-president of the European Commission, had to say on the matter recently. “If businesses or governments think they might be spied on,” she said, “they will have less reason to trust the cloud, and it will be cloud providers who ultimately miss out. Why would you pay someone else to hold your commercial or other secrets, if you suspect or know they are being shared against your wishes? Front or back door – it doesn’t matter – any smart person doesn’t want the information shared at all. Customers will act rationally and providers will miss out on a great opportunity.”
This isn’t a matter of national security. It is a matter of the breakdown of the traditional distinction between who owns what and what owns whom. We’d all understand that better if the government were somehow suggesting that they have the right to come into our homes, without warrants, and rifle through our things at will. If the computer were in our own house, and not connected to the Internet, we’d surely get that the government had no right to access it without a proper warrant. If we took our things “off-site” to a rented storage facility, and put a lock on the door, most of us would probably still realize the government had no right to go through it without a warrant.
But stick it on someone else’s server, protected only by a password — and possibly encryption — and our governments, and apparently enough silent Americans, are of the belief that it’s freely searchable. No warrant necessary.
Further proof that this isn’t a question of national security comes from the case of Megaupload — and, more specifically, one of its customers. The case proves a number of things, not the least of which is that the government believes it can seize anyone’s data, and if that person complains, the government will try to use their own data against them.
[T]he government’s approach should terrify any user of cloud computer services—not to mention the providers. The government maintains that Mr. Goodwin lost his property rights in his data by storing it on a cloud computing service. Specifically, the government argues that both the contract between Megaupload and Mr. Goodwin (a standard cloud computing contract) and the contract between Megaupload and the server host, Carpathia (also a standard agreement), “likely limit any property interest he may have” in his data. [4]Cindy Cohn and Julie Samuels, “Megaupload and the Government’s Attack on Cloud Computing” (October 31, 2012) Electronic Frontier Federation, available at https://www.eff.org/deeplinks/2012/10/governments-attack-cloud-computing.
There are allegedly some hindrances to the government obtaining information from the cloud in criminal investigations. This has been identified by the FBI and other law enforcement agencies as a shortcoming which Congress needs to remedy. [5]Josiah Dykstra, “Seizing Electronic Evidence from Cloud Computing Environments,” in Cybercrime and Cloud Forensics: Applications for Investigation Processes (2012) Ch. 7, p. 162. Although this is a very expensive book, and the individual chapters are available online in some locations for around $35-$40 each, I found this chapter was free at http://www.csee.umbc.edu/~dykstra/Seizing-Electronic-Evidence-from-Cloud-Computing-Environments.pdf. Aside from technological hindrances, the law throughout the United States allegedly is legally hindered from obtaining an individual’s information from cloud services. [6]Winston Maxwell and Christopher Wolf, “A Global Reality: Governmental Access to Data in the Cloud” (23 May 2012) A Hogan Lovells White Paper, p. 3. Nevertheless, in some cases, prosecutors in criminal matters have obtained information from cloud services without warrants.
Here’s a short list of your personal information companies can hand over to the feds without repercussion, and on little more than a subpoena: geolocation data, the PCs you’ve accessed, emails you’ve sent and text messages and content you’ve placed on cloud services like Dropbox. [7]Brian Fung, “What the subpoena scandal means for your electronic privacy” (May 15, 2013) Nextgov.com, available at http://www.nextgov.com/cloud-computing/2013/05/what-ap-subpoena-scandal-means-your-electronic-privacy/63169/, emphasis added.
The bottom line? Data that is accessible to others is data that is not safe. “If it’s not private, it’s not protected.”
Don’t blame The Clouds, though.
STREPSIADES. …. Oh! Clouds! all our troubles emanate from you, from you, to whom I entrusted myself, body and soul.
CHORUS. No, you alone are the cause…. [8]Aristophanes (2012-11-01). The Clouds (Kindle Locations 1133-1136). Kindle Edition.
Now, tell me again why a criminal defense attorney like me would want to entrust my client files and other client-related information to The Clouds?
Footnotes
| ↑1 | Aristophanes (2012-11-01) The Clouds (Kindle Locations 249-262.) Kindle Edition. |
|---|---|
| ↑2 | Declan McCullagh, “Feds tell Web firms to turn over user account passwords” (July 25, 2013) c|net, available at http://news.cnet.com/8301-13578_3-57595529-38/feds-tell-web-firms-to-turn-over-user-account-passwords/. |
| ↑3 | John Naughton, “Edward Snowden’s not the story. The fate of the internet is” (July 27, 2013) The Guardian, available at http://m.guardiannews.com/technology/2013/jul/28/edward-snowden-death-of-internet. |
| ↑4 | Cindy Cohn and Julie Samuels, “Megaupload and the Government’s Attack on Cloud Computing” (October 31, 2012) Electronic Frontier Federation, available at https://www.eff.org/deeplinks/2012/10/governments-attack-cloud-computing. |
| ↑5 | Josiah Dykstra, “Seizing Electronic Evidence from Cloud Computing Environments,” in Cybercrime and Cloud Forensics: Applications for Investigation Processes (2012) Ch. 7, p. 162. Although this is a very expensive book, and the individual chapters are available online in some locations for around $35-$40 each, I found this chapter was free at http://www.csee.umbc.edu/~dykstra/Seizing-Electronic-Evidence-from-Cloud-Computing-Environments.pdf. |
| ↑6 | Winston Maxwell and Christopher Wolf, “A Global Reality: Governmental Access to Data in the Cloud” (23 May 2012) A Hogan Lovells White Paper, p. 3. |
| ↑7 | Brian Fung, “What the subpoena scandal means for your electronic privacy” (May 15, 2013) Nextgov.com, available at http://www.nextgov.com/cloud-computing/2013/05/what-ap-subpoena-scandal-means-your-electronic-privacy/63169/, emphasis added. |
| ↑8 | Aristophanes (2012-11-01). The Clouds (Kindle Locations 1133-1136). Kindle Edition. |