For cloud computing to grow, we’d like a balance between individual privacy and control of information, and the government’s ability to fight crime and terrorism. Persistent encryption stands out as the answer.
The ongoing case of the government versus Lavabit was a hot topic of debate at RSA — not only concerning the merits of the case, but as it demonstrates how the increasingly stringent safe harbor provisions within the European Union can impact US companies doing business inside the cloud.
For people who didn’t follow the tale, Lavabit, a corporation that offered encrypted email as a service, shut down last August without explanation. Under a gag order, Lavabit CEO Ladar Levinson was prohibited from disclosing any information when it comes to the shuttering of the business, in addition to the main points resulting in the termination of Lavabit.
After court documents were unsealed, it emerged that Levison was resisting a central authority order to produce Lavabit’s encryption key to authorities. The character of the Lavabit email service was that a single key was shared for encrypting all client email. The govt. insisted on acquiring the major, in order that it might access one client’s email account — ex-National Security Agency contractor Edward Snowden. Lavabit objected to turning in the encryption key, because it wouldn’t only decrypt one client’s email, however it would also provide access to the company’s few hundred thousand customers’ data within the clear.
So what does the usa government’s legal dispute with Lavabit over access to its encryption key have in common with discussion over Safe Harbor principles? On an effortless level, the relationship is clear — both are reactions to activities by the NSA (and other agencies within and outdoors of the usa) to access vast amounts of cloud data without the info owner’s knowledge or consent. However, this issue is far larger than the NSA.
The NSA is doing what it was created to do: collect data, analyze it, and use it to offer protection to US interests. Up to now, we’ve not seen its agents violate the foundations they’re sworn to uphold. However, the larger issue is considered one of privacy — a fundamental right this is fueling an incredible debate over whether persons are willing to surrender privacy in exchange for security.
In the case of the european and its Safe Harbor provisions, regulators are moving in the direction of a version that requires the cloud merchant (CSP) to no less than notify data owners when their information was accessed.
Harbinger of clouds to come
The more profound connection, however, is that both the Lavabit case and the Safe Harbor provisions are harbingers of the way forward for cloud computing policies. For cloud computing to keep growing, there must be a stronger balance between end users’ requirements for privacy, confidentiality, and direct control of knowledge, and the facility for law enforcement and government agencies to fight crime and terrorism. These are both attempts to nudge the pendulum back from where it has shifted during the last few years, toward ever-greater government surveillance of all cloud and Internet traffic, on the expense of user privacy and confidentiality.
What differentiates the Lavabit case from new EU data residency requirements that flag changes to Safe Harbor provisions which have governed data transfers for greater than a decade is that it represents an attempt by a CSP to contest the scope of NSA access to cloud data throughout the courts. Changes to the Safe Harbor provisions will probably place a brand new set of necessities on CSPs (or a minimum of compel them to uphold their very own privacy policies better). And they’re going to need to consult directly with major cloud service providers (most of whom are based within the US) to make that happen.
Regardless of the result of both the Lavabit case and the EU’s revised set of Safe Harbor provisions, you will be sure that the cloud landscape may be different six months from now — and it’ll continue to modify into the long run. Recent modifications recommended by President Obama on how phone metadata collection is performed in all probability mean that privacy concerns will play a better role in national security investigation policies.
On any other hand, Lavabit’s legal response to an appeal by the govt. requesting the defunct service provider’s encryption key means that it’ll be a lengthy process in the US to have policies changed, a result of investments the govt. has made in data mining and capture technologies. Already, we’ve seen explicit pushback from the intelligence community to the stairs outlined by President Obama. Yet, while the NSA and Snowden are currently grabbing headlines, it goes way past that. Other government agencies accessing data with a subpoena, consisting of the IRS, may induce more sensitive issues on this privacy vs. security debate.
Sieve theory
The present methodology relies on what some observers are calling the sieve theory: It’s not relevant as much what data goes into the information mining process; the data that’s made out of the method justifies the activity. During action, all types of enterprise data can get caught up and stored in ways in which the knowledge owners never intended — no matter legal arguments about Fourth Amendment rights.
So what options can be found to enterprises trying to move to the cloud but not willing to become entangled in a privacy, compliance, data residency, and security morass?
Customers ought to proactively take control in their own data by persistently encrypting data before sending it to the cloud. Encryption at rest and in transit isn’t any longer sufficient. In order for the info is rarely decrypted outside their control, businesses must implement encryption “in use.” This kind, they could apply an appropriate governance over the knowledge, even with where it lies. This use of encryption as a circuit breaker allows enterprises to balance their need for privacy and confidentiality with the purposes of law enforcement and anti-terrorism agencies.
If there’s a legitimate and lawful the reason for this is that a company should give up data in accordance with a request, then businesses must have a seat on the table. Encrypting data in all three states of existence, combined with ownership of encryption keys, is the only real thanks to accomplish this.
We each play a job in protecting information that ought to be private on this real-life drama. The government’s role is to continue to collect and analyze data for tax, regulatory, law enforcement, or national security purposes. Cloud providers are stepping as much as do their part to give protection to their environments from internal and external threats. Most significantly, all of us have personal responsibility, besides, and we must take action to implement persistent encryption to give protection to what we believe in.
Elad Yoran is currently CEO and Chairman of Vaultive. His nearly twenty years inside the cyber security industry spans experience as an executive, consultant, investor, investment banker and a several-time successful entrepreneur. Elad’s entrepreneurial experience includes Riptech, … View Full Bio
More Insights